How to find and verify a trust path?
Ingo Klöcker
kloecker at kde.org
Wed Sep 18 23:40:30 CEST 2013
On Tuesday 17 September 2013 11:38:55 Peter Lebbing wrote:
> On 17/09/13 11:07, Peter Lebbing wrote:
> > > The independent paths need to be completely disjoint (except for
> > > start and end point) _and_ they all need to start with Philip's
> > > key.
> >
> > AFAIK, there is no such requirement in the Web of Trust. I've never
> > heard of it.
>
> Euh... apart from the part where you said they need to start with
> Philip's key. I didn't trim the quote far enough :). I meant there is
> no requirement that the paths are independent.
True. There's no such requirement in the Web of Trust. But Philip's
question
> > > > > How would an attacker create n independent paths without
> > > > > deceiving n people?
(which you snipped away in your reply) specifically requires the path to
be independent. And that the n independent paths have to connect
Philip's key and the key Philip wants to verify is an implicit
requirement.
Of course, the attacker could create n keys all with his correct name.
Then nobody would have to be deceived because there's nothing wrong
about those keys. But IMHO that's not a convincing answer because I
wouldn't trust n paths all involving keys from the same person more than
1 path involving a key of that person. Of course, if somebody blindly
trusts gpg to do the right thing then he probably deserves to be
deceived.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130918/64e71b2a/attachment.sig>
More information about the Gnupg-users
mailing list