Signed headers (was Re: Evolution signatures)

Carl L. Gilbert
Wed Aug 6 22:50:02 2003

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2003-08-06 at 16:09, darren chamberlain wrote:
> =20
> > I can verify your mail signature and i'm behind a firewall. Oops,
> > according to you that isn't possible. Is it magic?! No, it's public
> > key crypto!  (and please _don't_ mind the troll:)
> Good point.  I was thinking more along the lines of SSH-style host
> keys, rather than PGP-style.

I don't think its all that good.  Right now my computers ip address is, or some such.  But when I send this email, the address
slapped on it my the MTA (which is remote) will be that of my
firewall/NAT router.  Unless I misunderstood the point!?

> > > Not that I disagree with you, though -- I think a hostid should be
> > > part of each Recieved header, which should be verified on a
> > > host-by-host basis (i.e., each successive host in the path verifies
> > > the key of the host that contacted it), perhaps with an ever growing
> > > checksum of those hostids that each machine along the way verifies
> > > and then appends to (such that a machine could verify the checksum
> > > for each set of recieved headers).  But that's just my take on it.
> > > ;)
> >=20
> > ... or a similar system that exists for GPG/PGP public keys could be
> > used, but instead of personal public keys we distribute host public
> > keys to verify the host-id in the headers.
> This seems to imply that the host's keys would exist in the WoT -- but
> how (why?) would you sign a host's key, as opposed to a persons key?
> It's trivial for a sysadmin to replace one host's key with another.
> (darren)

Since a user has no control over the host, the host key is irrelevant.=20
I get better security by trusting only myself.  Unless you can say why
trusting a chain of servers enhances something!?

Thank you,

CL Gilbert
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard (Encryption and Digital

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.2 (GNU/Linux)