Houston, we have a problem
Stefan Claas
stefan.claas at posteo.de
Thu Sep 21 20:49:49 CEST 2017
On Thu, 21 Sep 2017 10:55:26 -0400, Robert J. Hansen wrote:
> > Question for the experts, how can a casual or new GnuPG user, like
> > Alice and Bob, detect a Signature forgery on a pub key, when using
> > Web based key servers?
>
> By remembering that anyone can create a key claiming to be anyone, and
> that seeing a signature allegedly from Werner (or anyone) means
> absolutely nothing until and unless you've verified the signing
> certificate actually belongs to him.
>
> Key validation -- ensuring a key really belongs to who it says -- is
> an important step. It cannot be skipped. It is not optional.
Thanks for your reply. Let's assume the following: You would be also
a german national, we both are friends and would have bad things in
mind...
I issue now fake signatures (from a german CA) to our fake keys* and
then we would start some bad business on the Internet. How could
customers, not pros like all you guys here on the list, could verify
that we both are the persons the keys/signatures are claiming?
* Due to my stupidness i no longer have access to my passphrase
nor can i find my rev cert, in case someone would use my key,
which i used here for signing previous post from me.
Regards
Stefan
--
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
More information about the Gnupg-users
mailing list