The disadvantages of online KSP
atom at suspicious.org
Sun Dec 26 05:46:16 CET 2004
On Sat, 25 Dec 2004, Ben Branders wrote:
> Yes, of course. But even if you do meet them in real life, how can you
> ever be sure? If, for example, someone uses a nickname for his
> e-mailadres and his key, how can you check if he really 'owns' that
> Suppose I know someone with the nickname X2. I also know that there is a
> key signing party next week. I make a new e-mailaccount, x2 at mail.com.
> Then I generate a key for that account, but instead of typing my name, I
> use 'X2' (which is of course the nickname of someone else).
> I go to the KSP and someone wants to sign my key. Although he can check
> my identity, he can't know if X2 is my real nickname or not...
it makes no difference whether they're using a real name or pseudonym, if
someone wants me to sign their key they have to *PROVE* to my satisfaction
that they are who they claim to be. if someone is known as X2, then they
have the same burden of proving their identity as they would if their name
is david shaw. in either case they have to convince me that they are who
they claim to be, although X2 may have a harder time of it than david shaw
(i used to know someone else named david shaw). if either of them can't
convince me that they are who they claim to be i will NOT sign their key.
i just wrote an extensive article on this topic (pgp Key Signing
Observations - Overlooked Social and Technical Considerations) and i hope
to see it soon in 2600, and several other publications after they break
it. i'll also be talking about it at interz0ne 4.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Simply stated, there is no doubt that Saddam Hussein now
has weapons of mass destruction."
-- Dick Cheney, 26 August 2002
More information about the Gnupg-users