MUA "automatically signs keys"?

nb.linux nb.linux at xandea.de
Wed Jan 29 12:14:11 CET 2014


Gregor Zattler:
> Hi Steve, gnupg users,
> * Steve Jones <steve at secretvolcanobase.org> [24. Jan. 2014]:
>> Which reminds me that I'd really like an email client that
>> automatically signs keys at level 1 (persona) of anyone who replies
>> with a signed email that quotes a significant portion of the text I
>> sent, as this effectively counts as a challenge response protocol in my
>> book.
> 
> That's an interesting idea.  But there is still the possibility
> of a man in the middle attac...  The web of trust is supposed to
> counter MITM attacks by signing keys only if the verification was
> done directly (no middle person).

maybe you already discussed that, but what about sending someone an
encrypted email (with the challenge) and wait for an encrypted reply
with the signed challenge? (as you seem to talk only about sending a
clear text challenge)

Personally, I don't want such behaviour. When I'm making a
certification, then it's me doing it manually as I have the
responsibility. I don't want some program to be able to make automatized
certifications with my key.

Here's a quote from an email on a very similar topic:

From: Robert J. Hansen <rjh at sixdemonbag.org>
Subject: Re: trust your corporation for keyowner identification?
Date: 2013-10-17 13:54 -0700
>> In my proposed scenario, the corporation [e.g. HR] is doing nothing more than
>> providing a means for the participants to know that Bob is actually Bob
>> because the company has checked his id and said he is and providing an
>> authenticated means (again, IT being a black-hat aside) to communicate
>> with Bob and verify fingerprints, etc.
> 
> Under this scenario, the entire thing is dangerously bogus.
> 
> When I sign a certificate, I am sending a message: "I am vouching for the identity of X."  Under your scenario, I'm no longer vouching for the identity of X.  I would instead be saying, "Someone else who is not listed on this signature has vouched for the identity of X.  I am signing this without any direct personal knowledge of X's identity."
> 
> If you're vouching for X's identity, you need to take positive steps to verify X's identity.  If someone else is vouching for X's identity, then let them sign X's certificate.  Why should you get involved without doing your own positive verification?

Two replies later in the thread there was Stan Tobias
<sttob at privatdemail.net> who clarified:
> [That] you vouch that the person told you "This is my key".  Making a certification is *not* a confirmation of an identity.

I like the term "vouch" here, because it highlights the responsibility
in the Web of Trust of the person doing the certification.

Cheers,
-- nb.linux



More information about the Gnupg-users mailing list