Signing a key (meaning)

Grant Olson kgo at
Mon Apr 11 19:06:48 CEST 2011

On 4/11/11 4:18 AM, Jan Janka wrote:
>>> One reason we use GnuPG for is we think it 
>>> is significant likeky there's a "man in the 
>>> middle attack" or someone has access to email 
>>> accounts he should not have. Given that, what 
>>> benefit does one take from knowing my communication 
>>> partner has access to a certain email account?
>> The biggest benefit is that you can actually email the person. ;-)
> That's through, but WHY should anybody (even an attacker) place an email address in the ID over wich they have no control? 

The obvious example is the standard MITM attack.  They don't have access
to a person's inbox, but they intercept messages before it gets to their
ISP's mail server, and re-encrypts it to the 'real' key.  They still
don't have control over the endpoint, they can't read, modify, or delete
existing messages, but they can modify things in transit.

Again, I think you can probably start with a different set of base
assumptions when signing an associate's key and a stranger's key.

And some people have reasons I can't even fathom:

johnmudhead:~ grant$ gpg --keyserver
--search-keys president at
gpg: searching for "president at" from hkp server
(1)	Barak Obama (I'm the president) <obama at>
	  2048 bit RSA key B110EE8F, created: 2010-12-09
(2)	Barack Hussein Obama (DOD) <president at>
	  1024 bit DSA key 0B72EB0F, created: 2009-04-27
(3)	BUsh the past coming... <president at>
	  1024 bit DSA key 6909AF98, created: 2008-10-27
(4)	clinton_lewinsky <president at>
	  1024 bit DSA key AD3EE118, created: 2008-10-27
(5)	ElPresi! (the president of the white house...) <president at whitehouse.g
	  2048 bit RSA key 0BCC736D, created: 2008-10-26
(6)	bushbushbushbushbush <president at>
	  1024 bit DSA key E3F0063A, created: 2008-02-10
(7)	George Bush (I am a fag. I support the NWO.) <president at
	  512 bit DSA key DE415F3C, created: 2008-01-26 (revoked)
(8)	abc <president at>
	  1024 bit DSA key CEBBC2C4, created: 2007-10-27
(9)	BushBush <president at>
	  1024 bit DSA key 22A6F4D2, created: 2007-10-20
(10)	John Kerry <president at>
	  1024 bit DSA key A5978876, created: 2004-09-21
(11)	George Walker Bush (DOD) <president at>
	  1024 bit DSA key 0CB5C0BC, created: 2004-09-21
Keys 1-11 of 24 for "president at".  Enter number(s), N)ext,
or Q)uit >

>> If you don't believe or know (to a reasonable degree) that a person has
>> control of his email, then you can't communicate with them securely by
>> email.  At best, they never get the message and it's pointless.  At
>> worst, some hypothetical exploit by some hypothetical attacker
>> compromises your communications.  (Developing this hypothetical attack
>> is left as an exercise to the reader...)
> Unfortunately I'm not able to develope such an attack, and think there is none of importance. Could you please help me? 

I personally don't think there is one.


"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 570 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110411/c5ea575b/attachment.pgp>

More information about the Gnupg-users mailing list