German ct magazine postulates death of pgp encryption

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Fri Feb 27 21:07:02 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 02/27/2015 08:42 PM, Werner Koch wrote:
> On Fri, 27 Feb 2015 19:37, marcozehe-ml at mailbox.org said:
> 
>> And here’s the other problem the main article in c’t mentions:
>> Those keys, although faked, were certified. They were certified
>> by equally faked keys which resemble keys that are quite
>> well-known. So unless
> 
> Nope.  According to the questions the author sent me prior to
> publishing this article, he only looked at listing presented by the
> keyserver and concluded that if the web pages tells self-signature
> the user id must be valid (e.g. that second user id on the c't PGP
> CA).  Now we all know that keyservers don't do crypto.  As soon as
> you import that key the user ids with the faked self-signature are
> simply ignored and a listing by gpg won't show them.

the author was fully aware of this, he contacted me back in May 2014
already regarding these keys and asked me to provide a list of keys
that had been signed by some specific keys (the fake CA keys). That
list was provided after a quick lookup - there were 7 keys in total
that had been signed with them.

> 
> To avoid that in the future, the signature listing from the
> keyservers may add a note about this.

Increasing the information on keyservers like this, in particular in
the descriptive parts can be considered, would it suffice to be part
of the standard web interface for keyserver intro, or would it have to
be added on each individual index page?


- -- 
- ----------------------------
Kristian Fiskerstrand
Blog: http://blog.sumptuouscapital.com
Twitter: @krifisk
- ----------------------------
Public OpenPGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
- ----------------------------
Veni vidi velcro
I came, I saw, I got stuck
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJU8M5dAAoJEP7VAChXwav6okgIAKEMDKEh4mcd++SWPpCdhlr/
3Uyrz2E3Ifer3QuSBp4nav8XRx43HcvNkCja+RqdGue3RmRYadMUW2FwjLe/lX04
BKZ48/NOXBOC3/JJUQUr5/HkWXLII+rSf13jDu1GixnPUUI7gtECTPJQDevBrQLF
cA5L/hgrNH1Te1y4iZLrzmlEtr95Az8MlwkBmSf+sLCnmG7gW7suKHXsC7JrcRA7
siApTYVqk7PLBq8iMcs40A33+BbYZ1eXUwe3NuNGaPJV/4UjnGaKO4zjvcsk/uY5
YdtW63jtNYtN51lpL67mEMsIzTGfN3FM0L/RC0ud83TeoBbWaaloAufJQJARem0=
=nGok
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list