gpg for anonymous users - Alternative to the web of trust?
Nomen Nescio
nobody at dizum.com
Fri Mar 29 02:51:39 CET 2013
There is a related issue. Assume you are a tor user. Go to
irc.oftc.net, channel #tor. This is where tor users hang out.
There you will find some person on there called "arma." This is one of
the main authors for Tor.
But is he? Are you really on some MITM attack IRC server with all fake
bots? Is someone else pretending to be him? He does appear to be
logged on via an mit.edu ip...
You can't know. All you can find out if the same person signing the
code releases is in possession of the same secret key as the person on
the IRC. You can ask him to sign some snippit of text to verify he is
in possession of the secret key used to sign the tor source code. That
is it. Is that Roger Dingledine? Who knows.
But from a user's perspective I don't know if I care. In this case,
that person signing code = person I am talking to is probably enough
for me to get support for the product. (Assuming I am using the same
Tor everyone else is).
Although moneysphere is supposed to protect you from people creating
new certs for your site, what if your signed cert is stolen and your
dns changed? Using a smart card, it is probably easier to feel assured
your secret key is secure, rather a cert on a server. So with monkey
sphere you are signing these server certificates, getting one more
layer of protection, that site=key=code.
As to whether you are some covert agent, you probably are and don't
know it.
More information about the Gnupg-users
mailing list