Questions about generating keys

Oskar L. oskar at rbgi.net
Sat Aug 25 03:46:25 CEST 2007 

Robert J. Hansen wrote:
> Because there is no such thing as an 'insignificant' amount of
> resources.  Everything has a price associated with it.  The trick is to
> get the most bang for your buck.

Well I guess what's insignificant to one person might not be to another. I
know some spammers get addressed by scanning common names, so I would get
name123 at example.com instead of name at example.com. I consider having to type
 3 digits more a day to be an insignificant hassle, and well worth the
extra security.

Robert J. Hansen wrote:
>> I you visit Bob and he gives you his fingerprint, and when you get
>> home you see that it matches the one on his key, then the key is
>> authenticated.
>
> No.  You also have to trust that Bob isn't playing a game with you.

That the key is authentic means that it is the key Bob wanted you to have,
and has not been changed in a man-in-the-middle attack or by any other
means. That's all. You can be sure of this if the fingerprint matches. You
do not need to trust Bob for the key to be authentic. Bob can be the
biggest liar in the world, you still have his authentic key. To be secure
you also need to trust him. Authentication can exist without trust, and
trust can exist without authentication, but only both combined creates
security.

Think of it this way. Let's say you don't trust Google for some reason.
Then you go to https://mail.google.com, and verify that the SSL
certificate is correct, so you can be sure your not on a phishing site.
Would you now claim that the site isn't authentic, just because you don't
trust Google?

Or if you see someone you don't trust, can your eyes then not authenticate
to you that the person is who you think they are? Of course they can,
because authentication does not require trust, it's security that does.

If you do not trust Bob, you can do gpg --edit-key Bob, then type trust.
You will be given these options:
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately

>> If you now get Marys key, with a signature from Bob,
>> this does not make Marys key authenticated!
>
> Yes.  Like I said: you're really looking for a _trusted_ signature.
> Clearly, in this case you do not trust Bob to make signatures that are
> in accordance with your security policy.

Even if we trust Bob completely, then his signature would still just add
trust to Marys key, not authentication. We _trust_ that Bob has checked
Marys fingerprint carefully before signing her key, we have not _verified_
that he has.

> What world do you live in which offers total assurances of anything
> other than the inevitability of death and taxes?

A world in which medical advances will get rid of death and
crypto-anarchism will get rid of taxes? But seriously, when it comes to
people trust is the best you can have. You know your friend is able to hit
you in the face, but you have good reasons for strongly believing he/she
won't. But that's as good as it gets. There's no proof. You can't be 100%
sure. Total assurance can be found in mathematics. You don't trust that
5+5=10, you know it.

Oskar

More information about the Gnupg-users mailing list