PGP/MIME considered harmful for mobile
dshaw at jabberwocky.com
Mon Feb 28 04:40:03 CET 2011
On Feb 27, 2011, at 10:27 PM, Robert J. Hansen wrote:
>> I think we're missing each other here. We have Martin (the real one), the fake Martin (let's call him "Marty"), and various other people on a mailing list. Martin always signs his messages. One day Marty shows up and tries to pretend to be Martin. Martin, not wanting someone else to pretend to be him, can easily say: "You're not Martin. I am Martin, and I can prove it: I have signed this message with the same key that I've used for all my other messages".
> Then we're at an impasse, because that claim wouldn't fly with me. Let's imagine Fake-Martin and Real-Martin (FM and RM).
> FM: [message]
> RM: Hey, that's not me! I'm me. See? I've signed this with the same cert I've used for everything else on this list.
> FM: No, I'm the real Martin. I didn't sign up for this mailing list until last week. You signed up here a long time ago and posted messages pretending to be me, so that when I came on the list you could falsely claim to be me!
> RM: But I'm the real Martin! I've been posting here for months!
> FM: Prove it. You can't! Therefore, I'm the real Martin.
> RM: But you can't prove it either!
I'm not talking about proving who is *named* Martin and who isn't. That's not very important (or doable on a mailing list anyway). What is significant is that the "Martin" that has been posting on the list and signing their messages has a continuity he can point to.
If I were Martin, I'd respond: I am the Martin that has been using this mailing list for the past few months. I've had many interesting conversations here, and signed them all. I am signing this message too. I am the same Martin that you all have been conversing with. This man claims to be Martin too. Whether he is or not, *he's not the guy you've been talking to for months*. Or put another way, he's the Martin that they know.
There is nothing dramatically new about this idea. It's how nym users have identified themselves for years.
More information about the Gnupg-users