[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)
-----BEGIN PGP SIGNED MESSAGE-----
Nathaniel Borenstein writes:
> Have you downloaded my key from the net? Assume that you have. How do
> you know it's mine?
For all intents and purposes so far, "Nathaniel Borenstein" is something that
occasionally sends mail to the cypherpunks list, apparently from nsb.fv.com.
I expect that NSB turns out to consist of more than that, but not in my own
experience. This entity persistently offers a public key from an email address
@nsb.fv.com. If I retrieved the key from that address, I would have a
reasonable expectation (though not assurance) that I could use it to verify
the integrity of signed messages emanating from that address.
In my world, "you" == [email protected], and hence "your key" == the key I could
fetch from [email protected].
> I use PGP about 20 times per day. I use it in a manner that is
> *meaningful*. Unless we have in some way or another verified each
> others' keys, it is meaningless for me to sign a message to you.
> Putting a PGP signature on a message to someone who has no way of
> verifying your keys is a nice political statement, but is utterly
> meaningless in terms of adding any proof of the sender's identity. --
I discussed the identity issue above. Assuming a corresponding key can be
found (which is clearly the case here), the signature on the message can be
verified as a MAC. It would have been nice to be able to check, for example,
that the SHOUTING IN CAPS in your announcement wasn't just the result of some
manipulation of the message in transit to make it appear more hysterical.
FWIW, I have lost a great deal of respect for you today (unrelated to the
content of this message).
Futplex <[email protected]>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQEVAwUBMQ2fACnaAKQPVHDZAQEn6wf9F1pmSnKBAv3acUSvy1x8Sb93J0aepqmo
8NXBsRy7NEErYWvME1PQ3JGAQ2prgzIARswWDS8NrzWmJi04VkGwrIALkUHreOvz
mMIjAx86R/DXq3iShPGO5uDN+jSXKMsUeeLgHZfE1ipcThGch5rSVDMR3VxRnDFw
WZIg+xSmy4JWfpiLhFP6BQjSqhEMw+9LZWndD+ZsUgGEuaSuJcVH5bvHFHiQNOUr
Z1JxYQeauBbqwU7Yb1FIrHJwU3tS1Q2dNdSaDayyalv5K+CLbT8089kX3BAn/Sjf
7RqqdCqqESic6mVbG0RK1IqwImsYzxzorKSDmxriTTERgaD9lJkrWA==
=/xzE
-----END PGP SIGNATURE-----