Signing a key (meaning)

Grant Olson kgo at grant-olson.net
Mon Apr 11 19:06:48 CEST 2011 

On 4/11/11 4:18 AM, Jan Janka wrote:
>>> One reason we use GnuPG for is we think it 
>>> is significant likeky there's a "man in the 
>>> middle attack" or someone has access to email 
>>> accounts he should not have. Given that, what 
>>> benefit does one take from knowing my communication 
>>> partner has access to a certain email account?
> 
>> The biggest benefit is that you can actually email the person. ;-)
> 
> That's through, but WHY should anybody (even an attacker) place an email address in the ID over wich they have no control? 
> 

The obvious example is the standard MITM attack.  They don't have access
to a person's inbox, but they intercept messages before it gets to their
ISP's mail server, and re-encrypts it to the 'real' key.  They still
don't have control over the endpoint, they can't read, modify, or delete
existing messages, but they can modify things in transit.

Again, I think you can probably start with a different set of base
assumptions when signing an associate's key and a stranger's key.

And some people have reasons I can't even fathom:

johnmudhead:~ grant$ gpg --keyserver pool.sks-keyservers.net
--search-keys president at whitehouse.gov
gpg: searching for "president at whitehouse.gov" from hkp server
pool.sks-keyservers.net
(1)	Barak Obama (I'm the president) <obama at whitehouse.gov>
	  2048 bit RSA key B110EE8F, created: 2010-12-09
(2)	Barack Hussein Obama (DOD) <president at whitehouse.gov>
	  1024 bit DSA key 0B72EB0F, created: 2009-04-27
(3)	BUsh the past coming... <president at whitehouse.gov>
	  1024 bit DSA key 6909AF98, created: 2008-10-27
(4)	clinton_lewinsky <president at whitehouse.gov>
	  1024 bit DSA key AD3EE118, created: 2008-10-27
(5)	ElPresi! (the president of the white house...) <president at whitehouse.g
	  2048 bit RSA key 0BCC736D, created: 2008-10-26
(6)	bushbushbushbushbush <president at whitehouse.gov>
	  1024 bit DSA key E3F0063A, created: 2008-02-10
(7)	George Bush (I am a fag. I support the NWO.) <president at whitehouse.gov
	  512 bit DSA key DE415F3C, created: 2008-01-26 (revoked)
(8)	abc <president at whitehouse.gov>
	  1024 bit DSA key CEBBC2C4, created: 2007-10-27
(9)	BushBush <president at whitehouse.gov>
	  1024 bit DSA key 22A6F4D2, created: 2007-10-20
(10)	John Kerry <president at whitehouse.gov>
	  1024 bit DSA key A5978876, created: 2004-09-21
(11)	George Walker Bush (DOD) <president at whitehouse.gov>
	  1024 bit DSA key 0CB5C0BC, created: 2004-09-21
Keys 1-11 of 24 for "president at whitehouse.gov".  Enter number(s), N)ext,
or Q)uit >


>> If you don't believe or know (to a reasonable degree) that a person has
>> control of his email, then you can't communicate with them securely by
>> email.  At best, they never get the message and it's pointless.  At
>> worst, some hypothetical exploit by some hypothetical attacker
>> compromises your communications.  (Developing this hypothetical attack
>> is left as an exercise to the reader...)
> 
> Unfortunately I'm not able to develope such an attack, and think there is none of importance. Could you please help me? 
> 

I personally don't think there is one.


-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 570 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110411/c5ea575b/attachment.pgp>

More information about the Gnupg-users mailing list