About PGP Signing a File.
Tony Arnold
tony.arnold at manchester.ac.uk
Sun Feb 11 10:57:54 UTC 2007
Jeff,
Jeffrey F. Bloss wrote:
> Or even better... meet in person, demand three form of photo ID, and run
> finger prints through NCIC/whatever. All in front of reliable, bondable
> witnesses. <grin>
LOL!
> This is why PGP/GnuPG are primarily data integrity tools and not proof
> of authorship tools. Indeed most digital signature schemes can't be
> used to reliably authenticate origin, just guarantee data hasn't been
> tampered with. The more refined tools like GnuPG and PGP implement
> methods of forming trusted relationships, but they are in general not so
> robust and easily exploited. Certainly not to be relied on for any
> mission critical work.
I don't think it is possible for someone to prove beyond doubt they are
who they say they are. I suspect even your example above is open to abuse.
It therefore becomes a question of degrees of trust. A document that has
been signed with a key that has also been signed by a number of people
increases that degree of trust, but as you say does not guarantee
authorship. A signature based on a key that has not been signed by
anybody is much less trustworthy.
> There are other protocols which address identity in much more suitable
> ways, although the "zero knowledge proof" problem has been a major
> thorn in cryptographers' sides since cryptography was invented. ;)
I'd be interested to hear about other such protocols.
Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold
More information about the ubuntu-users
mailing list