Signing multiple keys

Doug Barton dougb at dougbarton.us
Fri Aug 26 23:34:05 CEST 2011


On 08/26/2011 14:18, Nicholas Cole wrote:
> On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton <dougb at dougbarton.us> wrote:

>> http://dougbarton.us/PGP/gen_challenges.html
> 
> Dear Doug,
> 
> I don't mean this in a negative way, but I struggle to see the point
> of such challenges. 

So feel free not to use them. :)

> The whole point of OpenPGP is the medium across
> which email is transmitted is insecure, and there is a possibility of
> a MITM attack.  I don't see how this sort of challenge-response does
> anything other than confirm that the controller of a key that claims
> to belong to a particular email address is also able to intercept and
> send messages to and from that address.

Yes, that is entirely the point.

> The only scenario that it would protect against is where key A claimed
> to belong to email address B, but actually did not, and the owner of
> key A was actually unable to read messages sent to address B.

2 for 2.

> In that case, OpenPGP would be providing no security, but the security
> of the email system itself would be such that OpenPGP was unnecessary.
> 
> To put it another way: if you trust the email network sufficiently for
> your challenge to be useful, doesn't that mean you don't need
> encryption.
> 
> Have I missed something?

Well the only thing you seem to have missed is the context in which I
use the script, which is my signing other people's keys. It's part of my
signing policy that I do not sign a uid unless I'm sure that the holder
of the key still has access to it. Similarly this process allows me to
verify that they still have access to the key(s).

One could certainly argue that my doing this is verification step is
overly fussy (and you wouldn't be the first), but that's my policy.


Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/




More information about the Gnupg-users mailing list