[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Signed posts (was Re: FV ... Fatal Flaw ...)
-----BEGIN PGP SIGNED MESSAGE-----
Amidst all of the <exon> about the "fatal flaw", Mr. Scarenstein brings up
(amazingly) an interesting point regarding signed posts that I have wondered
about for a while.
At 5:30 PM 1/29/96, Nathaniel Borenstein wrote (highly edited!):
>Do you have my key in your key ring? I rather doubt it. So what good
>would it have done?
>
>Have you downloaded my key from the net? Assume that you have. How do
>you know it's mine?
The issue of knowing that a signed post belongs to a particular individual
has come up often. Clearly the best approach is verifying the key in person
Failing that, however, I have adopted a strategy of maximizing the
probablility that the key actually belongs to me. I do this by:
1. Including the fingerprint and where to get the key in my
signed post (within the pgp sig)
2. Putting the key in a fairly secure place (i.e. on a machine
controlled by my employer, but where I can check the key
periodically
3. Putting the same key on the keyservers
I could (and should) also place it on my web page as well.
This is not to say that someone could not impersonate me by creating a key
and placing it in all of these places, but I think it would be difficult,
and probably not worth the effort. I am not real worried about this threat
(but heck, if someone really wants to impersonate me, I'd be flattered).
I think these measures are probably sufficient for a mailing list level of
discussion. Any comments? (flames >/dev/null)
Clay
- --------------------------------------------------------------------------
Clay Olbon II | [email protected]
Systems Engineer | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy | PGP262 public key: finger [email protected]
Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0
"To escape the evil curse, you must quote a bible verse; thou
shalt not ... Doooh" - Homer (Simpson, not the other one)
- --------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMQ4mjwS4mEMx6xUNAQFkjgP/QYovJZzguQy4yQqWYZQPCpZn1oU8VaCr
14JW7XIk29F4xDHEPT8YlCvt7lJ6aYvWNbFVpmTWzj8IiAgWwDeQZVbQyA+YRuMs
w5kOF2brGAElln+j5hxtoIzvfy2lp+Jr8c6Q3yklCX6Yizt6G+Ma08HC1HkUZ2Jd
d0GSBZwk4nw=
=PF/1
-----END PGP SIGNATURE-----