can you deny you sent a signed e-mail?

Neil Williams linux at codehelp.co.uk
Tue Apr 27 23:02:40 CEST 2004 

On Tuesday 27 April 2004 9:28, Mortimer Graf zu Eulenburg wrote:
> Yes, but if people go in and fake complete signing networks that sign and

That is a seriously difficult task - a completely separate signing network is 
easy - getting people in the strong set to trust it requires a lot of 
security-aware people to be duped.

> revoke signs to make the keys appear sinister then it will be hard to argue

You cannot make someone else's strong key appear sinister by adding and 
revoking signatures, you just make their key very cluttered. It's revoked 
KEYS that are important in denying a signed email. If you revoke your 
signature on my key, that does not affect the validity of my digital 
signature and it may even have no particular effect on the level of trust in 
my key because there are lots of other signatures on my key.

> around that your key underwent some sort of attack. It would be also very
> hard to defend such attacks, at last everybody is free to sign whomever key

Have you misunderstood signing, perhaps?

If you sign my key, you can only revoke your signature on my key. That doesn't 
affect the validity of my key as atested by other signatures. 

So if you 'attack' my key, all that happens is that I get another nonsense 
signature added to the key. It doesn't invalidate the signatures made by 
others and in particular is does NOT make your key trusted - I have to sign 
YOUR key to make it trusted. That requires YOU to prove to me that you are 
the physical person declared in the key. I will not sign your key without 
full verification, so your key never becomes trusted.

A long collection of revoked signatures on a key is NOT the same as a long 
list of revoked keys by a single user. It again comes back to trust - how 
trustworthy are the signatures that remain? GnuPG disregards any revoked 
signatures as well as signatures by untrusted keys, when calculating trust.

> he wants to and revoke it with "key compromised" or such reason..

You are free to revoke your key, but that alone cannot affect my key. That's 
the strength of the web of trust, it is a web, not a chain.

There is more than one path from my key to X key in the strong set, say 
Werner's. 

-- 

Neil Williams
=============
http://www.codehelp.co.uk/
http://www.dclug.org.uk/
http://www.isbn.org.uk/
http://sourceforge.net/projects/isbnsearch/

http://www.biglumber.com/x/web?qs=0x8801094A28BCB3E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : /pipermail/attachments/20040427/61c628e4/attachment.bin

More information about the Gnupg-users mailing list