MUA "automatically signs keys"?

Steve Jones steve at secretvolcanobase.org
Wed Jan 29 18:24:36 CET 2014


On Wed, 29 Jan 2014 11:14:11 +0000
"nb.linux" <nb.linux at xandea.de> wrote:

> Gregor Zattler:
> > Hi Steve, gnupg users,
> > * Steve Jones <steve at secretvolcanobase.org> [24. Jan. 2014]:
> > That's an interesting idea.  But there is still the possibility
> > of a man in the middle attac...  The web of trust is supposed to
> > counter MITM attacks by signing keys only if the verification was
> > done directly (no middle person).
> 
> maybe you already discussed that, but what about sending someone an
> encrypted email (with the challenge) and wait for an encrypted reply
> with the signed challenge? (as you seem to talk only about sending a
> clear text challenge)

Yes, the message being sent would have to be encrypted for the
procedure to be valid, otherwise an attacker could read the mail and
spoof a response (after having already spoofed your communication with
the key server).

> Personally, I don't want such behaviour. When I'm making a
> certification, then it's me doing it manually as I have the
> responsibility. I don't want some program to be able to make
> automatized certifications with my key.

Well, it could be semi-automatic. I'm only talking about persona
certifications, which appear to be understood as verifying that the key
and the email address are under the control of the same person. Having
your mail client being able to determine that the key and the email
address seem to match and offering you a one click (plus passphrase)
option to verify that fact would be nice.

-- 
Steve Jones <steve at secretvolcanobase.org>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20140129/338c4023/attachment.sig>


More information about the Gnupg-users mailing list