[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Signed posts (was Re: FV ... Fatal Flaw ...)



-----BEGIN PGP SIGNED MESSAGE-----


Amidst all of the <exon> about the "fatal flaw", Mr. Scarenstein brings up
(amazingly) an interesting point regarding signed posts that I have wondered
about for a while.

At 5:30 PM 1/29/96, Nathaniel Borenstein wrote (highly edited!):
>Do you have my key in your key ring?  I rather  doubt it.  So what good
>would it have done?
>
>Have you downloaded my key from the net?  Assume that you have.  How do
>you know it's mine?

The issue of knowing that a signed post belongs to a particular individual
has come up often.  Clearly the best approach is verifying the key in person
  Failing that, however, I have adopted a strategy of maximizing the
probablility that the key actually belongs to me.  I do this by:

        1.  Including the fingerprint and where to get the key in my
            signed post (within the pgp sig)

        2.  Putting the key in a fairly secure place (i.e. on a machine
            controlled by my employer, but where I can check the key
            periodically

        3.  Putting the same key on the keyservers

I could (and should) also place it on my web page as well.

This is not to say that someone could not impersonate me by creating a key
and placing it in all of these places, but I think it would be difficult,
and probably not worth the effort.  I am not real worried about this threat
(but heck, if someone really wants to impersonate me, I'd be flattered).

I think these measures are probably sufficient for a mailing list level of
discussion.  Any comments? (flames >/dev/null)

        Clay



- --------------------------------------------------------------------------
Clay Olbon II            | [email protected]
Systems Engineer         | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302  | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy       | PGP262 public key: finger [email protected]
Troy, MI 48083-1109      | pgp print: B97397AD50233C77523FD058BD1BB7C0
    "To escape the evil curse, you must quote a bible verse; thou
     shalt not ... Doooh" - Homer (Simpson, not the other one)
- --------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMQ4mjwS4mEMx6xUNAQFkjgP/QYovJZzguQy4yQqWYZQPCpZn1oU8VaCr
14JW7XIk29F4xDHEPT8YlCvt7lJ6aYvWNbFVpmTWzj8IiAgWwDeQZVbQyA+YRuMs
w5kOF2brGAElln+j5hxtoIzvfy2lp+Jr8c6Q3yklCX6Yizt6G+Ma08HC1HkUZ2Jd
d0GSBZwk4nw=
=PF/1
-----END PGP SIGNATURE-----