can you deny you sent a signed e-mail?

Neil Williams linux at codehelp.co.uk
Tue Apr 27 21:21:22 CEST 2004 

On Tuesday 27 April 2004 6:37, Jerry Windrel wrote:
> That's actually a crucial question that needs to be resolved in order for
> digital signatures to be more widely adopted.  If anyone can just revoke

Adoption will only move as fast as the trust. Signing with an untrusted key 
declares your willingness to use GnuPG/PGP but the crucial element here is 
about keysigning and trust.

> their key and claim a hacker break-in, then what good does it do to
> generate signatures to begin with?

Claiming a compromise when none occurred is deceitful, the costs of such lies 
will impact on the keyowner but how much depends on the web of trust. 

If the key is part of the strong set, i.e. if it's signed by other strong keys 
rather than a long list of nonsense keys, then there is a lot to lose by 
revoking the key. Denying a digital signature on such an email (like this 
one) is going to be costly in terms of the trust held in that key and it's 
owner.

Someone who habitually revokes keys is going to find it hard to get his key 
repeatedly signed by other strong keys, so far less people will end up 
trusting the new key.

A signature is much more than just anti-tamper - a valid signature from an 
untrusted key is not as useful as a valid signature from a trusted key. 
Anyone can create a new key that carries the same name and email address as 
an untrusted key. Until the key (and therefore the keyid) can be trusted, you 
can't know if this is a new key for an existing untrusted user or a new key 
from an unknown user.

Keyservers can also provide clues here, signatures can only be verified if the 
public key is public so each revoked key will show up on the keyserver. As 
these don't get deleted, a search for the user might shed some light if 
anyone has cause to doubt the sincerity of the claim of a compromise.


-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040427/8df9b29b/attachment.bin

More information about the Gnupg-users mailing list