Signing a key (meaning)

Grant Olson kgo at grant-olson.net
Sun Apr 10 22:42:14 CEST 2011


On 04/10/2011 02:48 PM, Jan Janka wrote:
> 
> But my ponit is as follows:
> One reason we use GnuPG for is we think it is significant likeky there's a "man in the middle attack" or someone has access to email accounts he should not have. Given that, what benefit does one take from knowing my communication partner has access to a certain email account?
> 
> I'm grateful for answers,
> Jan 
> 

The biggest benefit is that you can actually email the person. ;-)

If you don't believe or know (to a reasonable degree) that a person has
control of his email, then you can't communicate with them securely by
email.  At best, they never get the message and it's pointless.  At
worst, some hypothetical exploit by some hypothetical attacker
compromises your communications.  (Developing this hypothetical attack
is left as an exercise to the reader...)

You could use something like pgpboard or a usenet group.  You could
fedex them a usb stick.  You could use a carrier pigeon.  In which case,
yes, their email address is irrelevant for your purposes.  But an
overwhelming majority of people are going to prefer email to the
alternatives.

In the case of your friend, who you've already been communicating with,
I don't think sending the signature to his email address performs any
additional verification.  But that's because you've already established
a few conditions of key validity, not because you don't care if he
controls an email account or not.

You already have good reason to believe that: (1) you know his real
world identity, because you know him in the real world.  (2) He has
control of the communication endpoint (the email address) because you've
been emailing him back and forth.  When those two conditions are already
established, you only need to verify the fingerprint directly to
establish there's not a MITM attack.

I think the email check is more useful and perhaps even required for
something like a key-signing party, where you've never engaged in email
communications with this person before.  You start off with everything
about this person as an unknown.  You need to (1) examine a government
issued id to verify this persons real-world identity.  (2) Get the
fingerprint directly to demonstrate that he actually controls the key in
question; he's not a MITM.  (3) Send the info to the email tests that he
actually controls the endpoint he claims to control.

-- 
-Grant

"Look around! Can you construct some sort of rudimentary lathe?"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 565 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110410/00c2c281/attachment.pgp>


More information about the Gnupg-users mailing list