How to find and verify a trust path?

Ingo Klöcker kloecker at
Mon Sep 16 23:27:36 CEST 2013

On Monday 16 September 2013 23:00:22 Peter Lebbing wrote:
> On 16/09/13 22:37, Philip Jägenstedt wrote:
> > Too bad. I guess one could do it by starting at the destination and
> > following signatures back using a shortest path algorithm and a lot
> > of requests to the keyserver, though.
> Dijkstra's shortest path algorithm would amount to a breadth first
> search. Keyserver operators might not like that, I dunno.
> > How would an attacker create n independent paths without deceiving n
> > people?
> Errrrr..... by creating n keys and uploading them to the keyserver?

I thought the same, but that won't work. The independent paths need to 
be completely disjoint (except for start and end point) _and_ they all 
need to start with Philip's key. The attacker would have to trick Philip 
into signing all n keys. Or he would have to trick n people whose keys 
Philip has signed (directly or indirectly) into signing his n keys.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130916/029935e5/attachment.sig>

More information about the Gnupg-users mailing list