On message signing and Enigmail...
gnupg at lists.grepular.com
gnupg at lists.grepular.com
Wed Feb 1 22:26:18 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/02/12 21:12, Doug Barton wrote:
>>> Nothing -- and that signature is every bit as credible as the
>>> one that's from your own certificate. You might say, "but
>>> that certificate's a fraud, my certificate's real!", but the
>>> Christopher Walters impersonator will say the same thing about
>>> you. There's no way to check.
>>
>> Isn't this the whole point of the web of trust?
>
> Different category of problems. But what does a large number of
> signatures from people you don't know tell you more than a single
> key without signatures?
It tells you that all of the messages were from the same identity.
>> And if somebody uses the same key to sign mail repeatedly it
>> builds a history and an identity.
>
> It build the *appearance* of an identity. Did you not read
> Robert's story of multiple people posting using the same key?
IMO, it builds an *actual* identity. That multiple people chose to
share the same identity in that particular story is not important.
>> It doesn't stop somebody else coming in and using a fake key, but
>> that person can't successfully claim to be the same person who
>> signed all the other mail. Not if the person who actually signed
>> all of the historical mail still has access to that key and can
>> call them out on it.
>
> This much is true, yes.
>
>> I've posted using the same key on probably a dozen mailing lists,
>> I use it for all of my personal and work email. I use it to sign
>> all of the comments on my blog. I use it to sign the front page
>> of my website. There is very definite and obvious value in using
>> the same key in multiple places to establish the connection
>> between your key and your identity. Mailing lists are just
>> another one of these places.
>
> The only thing what you're doing proves is that at the time those
> things were posted someone had control of the secret key, and that
> the messages weren't altered after they were signed. Beyond that
> everything is speculation.
If you see somebody posting on another list using the same key that
I've been using to post on this list, then you know it's the same
person. If you come across my website and find the content on it
signed by my key, you can connect my postings on this list with my
website. And so on.
- --
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----
iQGGBAEBAgBwBQJPKa36MBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBO6FB/wMB8caKnFS
J+pXsFeVDfluKrUArIBK0ylq3A0xGKI5GpNZfsixUp5kgj9eK4J4EZ/qFq0wV//S
TarO87SIJrljze2nhSiURsuqUARD5BC9/XpLpel3YCQSSZ8AFZRy3LHjv2GvIoAb
dN5ezIR0B32R1b2pG/NyqIXWHSJzDfZORlXEiHOzVH0Lf5dBAaIx0vNQ1hx/7J5P
2j0JO4+LfM8TswfuuJBHwr3xMMWjLz4zBRxRe4FtEuUq9lCKQ7YlX0HO40S/nUOz
kXNaJQHZrycFwZQVfodZLue8mzI/Ghjs/MGNMbq0T8tDUi3Fg/c4Bl34g+SXaDdG
jn8iNlmdRhTX
=bmhD
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list