About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Tue Feb 13 10:33:35 UTC 2007
Matthew Flaschen wrote:
> Michael R. Head wrote:
> > On Mon, 2007-02-12 at 22:13 -0800, John L Fjellstad wrote:
> >> Ouattara Oumar Aziz <wattazoum at gmail.com> writes:
> >>
> >>> That's why, when I see some people on some mailing list signing
> >>> there mail using PGP I just wonder what they want to prove. We
> >>> have no way to check the authority behind that key.
> >> Authority has nothing to do with (unless you know the person).
> >> But you can be sure that the person who claims he wrote an email
> >> yesterday is the same person who wrote the email today if the
> >> signature match.
> >
> > Correction: *reasonably sure*
> >
> > It's entirely possible that the guy's keys were stolen in the
> > intervening night.
>
> Also true, but that's what revocation certificates
> (http://www.pgp.net/pgpnet/pgp-faq/pgp-faq-key-revocation.html) are
> for. Constant vigilance.
If your keys have been compromised a revocation certificate is mostly
useless. In fact a nefariously created revocation certificate is one
potential attack vector. Imagine the fun you'd have trying to
reestablish a secure communication channel starting from scratch, when
someone has effectively demolished the mechanism you were using to
authenticate yourself. :(
Yet another reason PGP should never be used for proof of identity...
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070213/83b845e2/attachment.sig>
More information about the ubuntu-users
mailing list