trust paths

Johan Wevers johanw at
Sat Feb 28 19:15:10 CET 2015

On 28-02-2015 18:56, Christoph Anton Mitterer wrote:

> I'm not sure but I fear you have some deep misunderstanding of
> cryptography...

I'm not talking about mathematically proving something. After all, a
government agency could make a false key with Werner Koch's name on it
and send someone who looks like him with real ID documents to a
keysigning party. Government-issued ID's are no mathematical proof either.

> "Well-known", "often seen enough" or "not having heard any noise about
> it" are absolutely no ways to prove the validity of a key's named
> identity.

No proof no - but nathematical proof does not exist in this matter.

> If there was only one "Werner Koch" on the keyservers, and that key was
> signed by thousands of other famous names (Linus Torvalds, and that
> like) you still couldn't be sure of anything.

Of course not, anyone can upload a key with any name to the keyservers.
But I doubt anyone can publish a fake key on without
anyone noticing for long.

> An attacker that MitMs you could just set up a fake web-of-trust in very
> little time and when you ask your favourite keyserver, block any of the
> "real answers" and instead deliver you his faked key space with all the
> mutual signatures and so on.

I am not talking about keyservers at all, except maybe for obtaining a
key with a given keyID. Nothing more, and no WoT issues. While I
understand the concept I consider the WoT way to complicated and I use
it only as additional evidence a key belongs to someone.

> And you'd think "Only one Werner Koch, with an email, even
> signed by all these other people - that can't be coincidence, some of
> the must have checked his ID, and if it was an impostor, I'd surely have
> read on about it" - while in fact no one else than you ever saw
> these faked keys.

If the key was only on the keyservers, sure, then even I could do that
myself easily. But I'm talking about keys on places where it is unlikely
anyone has write access to, like the gnupg website or as a signature in
mailinglist messages. Sure, it could be spoofed - but only a short time
before it get noticed.

It would not be the first time I read about a spoofed gpg key on a Linux
distro server when the server was hacked. The attack works - but not for

ir. J.C.A. Wevers
PGP/GPG public keys at

More information about the Gnupg-users mailing list