playing with cryptography...

reynt0 reynt0 at cs.albany.edu
Fri May 23 23:54:25 CEST 2008


(replying to John Clizbe's post, but his full message is
an attachment as read by my nice simple email software so
"Reply" gives only a blank message, so I had to fiddle to
get it to show like a usual quoted reply)
  . . .
> Most Class I Certificates only prove you have control of the
> email address. Not that you actually are who the name and
> email purport to be.

Of course, the issue is, who "you" refers to and how do
you know?  I believe many assumptions are made by many
people about this, just following natural human social
behaviors, and the tricksters are often good at sifting
through the assumptions to see where they can sneak in.
That is, maybe <i>the way people often talk about this</i>
is "Philosophy 101 stuff" (as RJH said), but the subject
is serious and important, IMHO, and the more people can
be aware of this on like a Philosophy 401 basis the less 
at-risk they will be.

As GM indicated, the base reality is "to treat the
certificate/gpg key as identity", then add anything, like
email, signed by the key as part of the identity, and
maybe sometime form a judicious belief about some
particular human person being associated with the key.
To be picky, anything else is assumptions; and eg in
a world full of *bots, long-established natural human
assumptions will have to be reevaluated.

> There's a fairly simple explanation of the difference
> in the two architectures by Phil Zimmermann at
> http://www.openpgp.org/technical/whybetter.shtml

Nice reference; lucid explanation.



More information about the Gnupg-users mailing list