How to find and verify a trust path?

Ingo Klöcker kloecker at kde.org
Mon Sep 16 23:27:36 CEST 2013


On Monday 16 September 2013 23:00:22 Peter Lebbing wrote:
> On 16/09/13 22:37, Philip Jägenstedt wrote:
> > Too bad. I guess one could do it by starting at the destination and
> > following signatures back using a shortest path algorithm and a lot
> > of requests to the keyserver, though.
> 
> Dijkstra's shortest path algorithm would amount to a breadth first
> search. Keyserver operators might not like that, I dunno.
> 
> > How would an attacker create n independent paths without deceiving n
> > people?
>
> Errrrr..... by creating n keys and uploading them to the keyserver?

I thought the same, but that won't work. The independent paths need to 
be completely disjoint (except for start and end point) _and_ they all 
need to start with Philip's key. The attacker would have to trick Philip 
into signing all n keys. Or he would have to trick n people whose keys 
Philip has signed (directly or indirectly) into signing his n keys.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130916/029935e5/attachment.sig>


More information about the Gnupg-users mailing list