trust paths

[Jonathan Schleifer]

Am 28.02.2015 um 19:15 schrieb Johan Wevers <johanw at vulcan.xs4all.nl>

> I'm not talking about mathematically proving something. After all, a
> government agency could make a false key with Werner Koch's name on it
> and send someone who looks like him with real ID documents to a
> keysigning party. Government-issued ID's are no mathematical proof either.

FWIF, you don't even need to be a government for that. And you don't need to look like Werner. Some document looking like a government issued ID showing a picture of you with Werner's name will most likely be enough to fool everyone who doesn't know Werner personally to sign this fake key.

> If the key was only on the keyservers, sure, then even I could do that
> myself easily. But I'm talking about keys on places where it is unlikely
> anyone has write access to, like the gnupg website or as a signature in
> mailinglist messages. Sure, it could be spoofed - but only a short time
> before it get noticed.
> 
> It would not be the first time I read about a spoofed gpg key on a Linux
> distro server when the server was hacked. The attack works - but not for
> long.

You are assuming it will be spoofed for everyone. It could just be spoofed for you. Anybody who can MITM you and give you a fake SSL cert that you accept (i.e. every government on the planet, a lot of companies and even some individuals) can give you something spoofed and you would not notice. And there would be no outcry about spoofed keys, because it's just you being affected.

--
Jonathan