Keysigning challenge policies/procedures
alphasigmax at gmail.com
Sun Jul 9 06:27:56 CEST 2006
Michael Kallas wrote:
> David Shaw schrieb:
>> I've been away on vacation and only picked up this thread now. This
>> statement is not correct. Back in the PGP 2.x days, this might have
>> been true, but with OpenPGP, there is no particular requirement that
>> the ability to sign and the ability to decrypt are connected. You can
>> have a shared key with separate capabilities.
>> Sending an signed key via encrypted mail does not ensure anything
>> about the key owner.
> Why not?
> Sorry, this conclusion was too fast for me, could you please explain a
> little bit?
Suppose you send an email to Address W and encrypt an "authentication
token" to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.
This tells you that /someone/ with access to W has recieved a message;
/someone/ with access to X has decrypted it; /someone/ with access to Z
has signed a reply; and /someone/ with access to Y has sent a reply.
Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may or
may not have been faked (which is trivial).
The "owners" of W, X, Y and Z could be four different people, or they
might not be people at all; all you can really say about the "key owner"
is that X is in contact with W and Z, and Z is in contact with X and Y.
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 564 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20060709/c8b64b0d/signature.pgp
More information about the Gnupg-users