About PGP Signing a File.

[Jeffrey F. Bloss]

Matthew Flaschen wrote:

> > And neither the valid nor the invalid revocation certificate
> > carries with it any mechanism at all to make a determination. That's
> > the whole point.
> 
> Which means you should never use a revoked key, because it *could*
> have been compromised.

Within this sphere of influence it's foolish to assume that if
something can be done, it has not. Indeed, one of the most basic
premises of cryptography and security in general is to assume that it
*has* without irrefutable proof to the contrary. ;)

> > Out of band has nothing at all to do with this. Yes it's a valid way
> > to establish some level of personal credibility, but that
> > credibility doesn't scale to digital certificates at all like you
> > seem to believe it does. Even knowing someone all your life and
> > watching them generate a key in person right after the blood tests
> > is meaningless once you leave the room, without a considerable
> > amount of investment that has nothing at all to do with PGP.
> 
> How's that?  If I identify them in person, then get their key, I can
> be sure that all messages generated by that key were made by them.

How??

What proof do you have other than your own blind trust that the key
wasn't compromised even before you verified the identity of its owner?
Let alone after. What magic are you going to invoke that makes your
chosen proof of identification and personal sense of "trust" anywhere
*near* as secure as say... properly implemented AES or RIPEMD160?

The crucial point you're missing here is that some functions performed
by PGP are mathematically proved and some are only a "convenience". The
ability to tie any identity at all to a given key pair is one of the
latter type functions. It's not cryptographically secure, in fact it's
not cryptographically supported in the least. You're arguing that the
key-to-identity relationship is somehow supported by PGP and "secure"
after verifying identity at some point in time when it quite obviously
is not.

> > No, it's *the* issue. There's any number of ways this sort of
> > digital signature scheme can be trivially exploited or simply fail
> > under its own weight. A "DoS" attack perpetrated by forged/bogus
> > revocation certificates is just one of the inherent weaknesses that
> > make PGP signatures so unsuitable for proof of authorship that most
> > experts in the field people consider them utterly useless.
> 
> A (possibly fake) revocation makes them suddenly unsuitable, but
> between verification out-of-band and key revocation/expiry, why can't
> it work as a proof of authorship?

The potential for false revocation certificates to invalidate the
signing process doesn't "make anything" one way or another. It's an
example of the result, not a causative.

> > As I've stated quite plainly several times already, there are ways
> > to help give digital certificates the sort of credibility far to
> > many people assign to them as a default. They're generally either
> > unmanageable to the point of being ludicrous for most laypersons
> > needs or fraught with their own perils.
> 
> How is it ludicrous to meet a close friend in person to exchange keys?

It's not, and I never said it was. I said it's not secure to rely on
that sort of cursory validation for forward security, and that most
methods which *are* secure in that respect are "ludicrous" in the
context of average, noncritical usage.

My last comment to the thread, it's off topic anyway. :)

-- 
     _?_      Outside of a dog, a book is a man's best friend.
    (o o)         Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
                    http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070213/aeab8c6a/attachment.sig>