On message signing and Enigmail...

gnupg at lists.grepular.com gnupg at lists.grepular.com
Wed Feb 1 22:05:31 CET 2012

Hash: SHA1

On 01/02/12 20:45, Robert J. Hansen wrote:

>> On the issue of signing:  I do sign my messages, and have
>> uploaded my public keys to key servers, so they are available to
>> check that no one has changed my message.
> Except that it doesn't.  What's to prevent me from creating a 
> certificate with your name and email address and making posts in
> your name, with a signature from a certificate that claims to be
> yours?
> Nothing -- and that signature is every bit as credible as the one
> that's from your own certificate.  You might say, "but that
> certificate's a fraud, my certificate's real!", but the Christopher
> Walters impersonator will say the same thing about you.  There's no
> way to check.

Isn't this the whole point of the web of trust?

And if somebody uses the same key to sign mail repeatedly it builds a
history and an identity. It doesn't stop somebody else coming in and
using a fake key, but that person can't successfully claim to be the
same person who signed all the other mail. Not if the person who
actually signed all of the historical mail still has access to that
key and can call them out on it.

I've posted using the same key on probably a dozen mailing lists, I
use it for all of my personal and work email. I use it to sign all of
the comments on my blog. I use it to sign the front page of my
website. There is very definite and obvious value in using the same
key in multiple places to establish the connection between your key
and your identity. Mailing lists are just another one of these places.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4


More information about the Gnupg-users mailing list