MUA "automatically signs keys"?

Gregor Zattler telegraph at gmx.net
Wed Jan 29 18:19:10 CET 2014


Hi nb.linux,
* nb.linux <nb.linux at xandea.de> [29. Jan. 2014]:
> Gregor Zattler:
>> * Steve Jones <steve at secretvolcanobase.org> [24. Jan. 2014]:
>>> Which reminds me that I'd really like an email client that
>>> automatically signs keys at level 1 (persona) of anyone who replies
>>> with a signed email that quotes a significant portion of the text I
>>> sent, as this effectively counts as a challenge response protocol in my
>>> book.
>> 
>> That's an interesting idea.  But there is still the possibility
>> of a man in the middle attac...  The web of trust is supposed to
>> counter MITM attacks by signing keys only if the verification was
>> done directly (no middle person).
> 
> maybe you already discussed that, but what about sending someone an
> encrypted email (with the challenge) and wait for an encrypted reply
> with the signed challenge? (as you seem to talk only about sending a
> clear text challenge)

This would not help against a MITM -Attack.  I want to send you
an email, email program fetches a key with uid nb.linux at xandea.de
from the server, evil organisation intercepts this, sends me key
with uid nb.linux at xandea.de, I send a challenge encrypted to this
key, evil organisation decrypts it rencryts it to you key, sends
it to you, you sign-reply to my encrypted challenge, evil
organisation intercepts it...

> Personally, I don't want such behaviour. When I'm making a
> certification, then it's me doing it manually as I have the
> responsibility. I don't want some program to be able to make automatized
> certifications with my key.

me too.


Ciao; Gregor



More information about the Gnupg-users mailing list