[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure Key exchange
[email protected] (Theodore Ts'o) wrote:
quoting: [email protected] (Pat Farrell)
I sign keys only when I am certian that the key belongs to
the human who claims to have the name on the key. There
are not a lot of keys signed by me floating arround, maybe
tt> Ah, but how do we know that it's really you making this statement, and
tt> not some evil NSA spoofer? What people need to do is to make their
tt> key-signinging policies available _signed_ with their private key; that
tt> way at least we would know that the entity signing the keys and the
tt> entity claiming that this is its policy are the same.
Exellent point. I'll put a signed statement of my policy in my
.plan. It won't add many characters, and anyone can find it by
fingering me. (and I've never claimed I don't work for
tt> This helps, but
tt> we would then still need to trust that the entity is telling the truth
tt> insofar as its key-signing policy is concerned.
I can't solve this one so easily. I have two ideas that can
1. change PGP in future versions (starting with 2.1?)
so it doesn't ask for confirmation every time a key is added
to the ring. Make the user do an active action, rather than a
half-asleep y<cr> to sign a key.
2. store a comment in my secret ring that is captured
each time I sign a key. Thus I could store the
"reason/justification" for the signature to jog my memory. I
know whose key's I've signed now, but as the number gets bigger, then
I'll need a memory aid. I suggest the secret ring, as I share
my public ring, and don't think that why I chose to sign a key
should be generally available. If this were supported, you
could then send me a msg asking "why did you sign John Doe's
key?" You would have to compare my answer to my published
policy and make your own judgement as to whether I follow it.
I could keep track of this manually, and should. But PGP
already requires me to have a lot of files arround.
Pat Farrell, Grad Student [email protected]
Department of Computer Science, George Mason University, Fairfax, VA
PGP key available via finger or request #include standard.disclaimer
Write PKP. Offer money for a personal use license for RSA.