On message signing and Enigmail...

gnupg at lists.grepular.com gnupg at lists.grepular.com
Wed Feb 1 22:26:18 CET 2012

Hash: SHA1

On 01/02/12 21:12, Doug Barton wrote:

>>> Nothing -- and that signature is every bit as credible as the
>>> one that's from your own certificate.  You might say, "but
>>> that certificate's a fraud, my certificate's real!", but the
>>> Christopher Walters impersonator will say the same thing about
>>> you.  There's no way to check.
>> Isn't this the whole point of the web of trust?
> Different category of problems. But what does a large number of 
> signatures from people you don't know tell you more than a single
> key without signatures?

It tells you that all of the messages were from the same identity.

>> And if somebody uses the same key to sign mail repeatedly it
>> builds a history and an identity.
> It build the *appearance* of an identity. Did you not read
> Robert's story of multiple people posting using the same key?

IMO, it builds an *actual* identity. That multiple people chose to
share the same identity in that particular story is not important.

>> It doesn't stop somebody else coming in and using a fake key, but
>> that person can't successfully claim to be the same person who
>> signed all the other mail. Not if the person who actually signed
>> all of the historical mail still has access to that key and can
>> call them out on it.
> This much is true, yes.
>> I've posted using the same key on probably a dozen mailing lists,
>> I use it for all of my personal and work email. I use it to sign
>> all of the comments on my blog. I use it to sign the front page
>> of my website. There is very definite and obvious value in using
>> the same key in multiple places to establish the connection
>> between your key and your identity. Mailing lists are just
>> another one of these places.
> The only thing what you're doing proves is that at the time those
> things were posted someone had control of the secret key, and that
> the messages weren't altered after they were signed. Beyond that
> everything is speculation.

If you see somebody posting on another list using the same key that
I've been using to post on this list, then you know it's the same
person. If you come across my website and find the content on it
signed by my key, you can connect my postings on this list with my
website. And so on.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4


More information about the Gnupg-users mailing list