Signed headers (was Re: Evolution signatures)
Carl L. Gilbert
Wed Aug 6 22:50:02 2003
On Wed, 2003-08-06 at 16:09, darren chamberlain wrote:
> > I can verify your mail signature and i'm behind a firewall. Oops,
> > according to you that isn't possible. Is it magic?! No, it's public
> > key crypto! (and please _don't_ mind the troll:)
> Good point. I was thinking more along the lines of SSH-style host
> keys, rather than PGP-style.
I don't think its all that good. Right now my computers ip address is
192.168.0.2, or some such. But when I send this email, the address
slapped on it my the MTA (which is remote) will be that of my
firewall/NAT router. Unless I misunderstood the point!?
> > > Not that I disagree with you, though -- I think a hostid should be
> > > part of each Recieved header, which should be verified on a
> > > host-by-host basis (i.e., each successive host in the path verifies
> > > the key of the host that contacted it), perhaps with an ever growing
> > > checksum of those hostids that each machine along the way verifies
> > > and then appends to (such that a machine could verify the checksum
> > > for each set of recieved headers). But that's just my take on it.
> > > ;)
> > ... or a similar system that exists for GPG/PGP public keys could be
> > used, but instead of personal public keys we distribute host public
> > keys to verify the host-id in the headers.
> This seems to imply that the host's keys would exist in the WoT -- but
> how (why?) would you sign a host's key, as opposed to a persons key?
> It's trivial for a sysadmin to replace one host's key with another.
Since a user has no control over the host, the host key is irrelevant.=20
I get better security by trusting only myself. Unless you can say why
trusting a chain of servers enhances something!?
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org (Encryption and Digital
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----