MUA "automatically signs keys"?

Steve Jones steve at
Thu Jan 30 01:58:44 CET 2014

Hash: SHA256

On Thu, 30 Jan 2014 00:04:17 +0000
MFPA <2014-667rhzu3dc-lists-groups at> wrote:

> Hash: SHA512
> Hi
> On Wednesday 29 January 2014 at 7:57:12 PM, in
> <mid:6757499.FAIGtOWeFj at mani>, Johannes Zarl wrote:
> > Under the assumption
> > that an attacker can't reliably do a MITM attack on
> > every message that is sent over an extended time
> > period
> Why would that be assumed? In a corporate setting the MITM could be
> placed within the company's network, for a home user their ISP or
> email provider could be used, and for mobiles, the phone network.

The advantage you have here though is the web of trust. 1 level 1
signature would probably be not enough, but 5, 10, 100..? There comes a
point where you have to decide that a certain level of security is good
enough. An attacker that can MITM not only your communications with the
key server and your emails but that of all your friends can probably do
a lot more than just MITM communications - like insert custom hardware
into the supply chain rendering software based security useless.

> > , you would place almost no trust in a fresh
> > persona-certified key, but high trust in an old and
> > frequently encountered key.
> The older the key, the greater the opportunity for compromise.

Yes, I'd say it's the number of signatures rather than their age which
would lend trust.

> > The trust would grow with
> > time (just like the trust into someone you know in real
> > life).
> If a person I knew well in real life were "compromised" they are
> likely a poor enough actor for it to be easily-noticed.

Maybe, a lot of compromised actors have gotten away with it for a long
time. But that's a different story, all the trust in a person's key and
identity is useless if they're secretly working against you.

- -- 
Steve Jones <steve at>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
Version: GnuPG v1.4.12 (GNU/Linux)


More information about the Gnupg-users mailing list