[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure Key exchange

To: [email protected]
Subject: Re: Secure Key exchange
From: [email protected] (Theodore Ts'o)
Date: Mon, 30 Nov 92 13:36:45 EST
Address: 1 Amherst St., Cambridge, MA 02139
Cc: [email protected], [email protected]
In-Reply-To: Pat Farrell's message of Mon, 30 Nov 92 08:32:45 EST,<[email protected]>
Phone: (617) 253-8091

   Date: Mon, 30 Nov 92 08:32:45 EST
   From: [email protected] (Pat Farrell)

   I sign keys only when I am certian that the key belongs to the human who
   claims to have the name on the key. There are not a lot of keys signed
   by me floating arround, maybe six total.....

Ah, but how do we know that it's really you making this statement, and
not some evil NSA spoofer?  What people need to do is to make their
key-signinging policies available _signed_ with their private key; that
way at least we would know that the entity signing the keys and the
entity claiming that this is its policy are the same.  This helps, but
we would then still need to trust that the entity is telling the truth
insofar as its key-signing policy is concerned.

						- Ted

Follow-Ups:
- re: Secure Key exchange
  - From: "Mark W. Eichin" <[email protected]>

References:
- Re: Secure Key exchange
  - From: [email protected] (Pat Farrell)

Prev by Date: Secure key exchange I have to echo Phil's comments here. One of the things that might be worth a few minutes is for this group to hash out (pun intended) a set of guidelines for "when it's o.k. to sign a key". I have been
Next by Date: Re: Secure Key exchange
Prev by thread: Secure Key exchange
Next by thread: re: Secure Key exchange
Index(es):
- Date
- Thread