[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: establishing trust
-----BEGIN PGP SIGNED MESSAGE-----
Carl Ellison <[email protected]> wrote:
Ed Carp wrote:
>Subject: Re: crypto for porno users
>To: [email protected] (Carl Ellison)
>Date: Thu, 23 Nov 1995 15:57:17 -0600 (CST)
>Cc: [email protected], [email protected]
>totally different from this "web of trust" I keep hearing about - and that i
>*it*. Do you trust me any more now than before I started signing my posting
Actually, in my view, signed postings are the first step. With those (and
the right S/W (not there yet)), I get to know that a bunch of postings came
from the same person. I even know who they came from: the person who
is capable of signing with key 0xXXXXXXXX.
I hate to point this out, but that isn't true.
Anyone can create a key with any chosen keyid and
attach the same publicly known name to it. (see,
eg., the key I signed this with, given below).
The only unforgeable things about a particular
1. The key itself (you know, the product of the
2. The key fingerprint (unless MD5 is compromised)
3. The web of trust leading to that key.
So, in practice, you actually have to look at the
key fingerprint of the key used to sign a message,
if you want to be sure of the uniqueness of that
Or you have to only trust keys that come
well-introduced. Back to the Web of Trust.
Since the only way I have of getting to know the person is through those
postings, I get to know that person and through that knowledge I decide
whether or not to trust.
I've been trying to think of the possible
ramifications of spoofing people's names and
keyids on a large scale. And a large scale is
certainly possible -- it only took me about an
hour to create this key. I was originally
intending to use this key as part of a real
project, to gain attention to the project, but the
more I thought about it the more I worried about
the implications. This "coming out" invalidates
any chance of that happening.
There are two bad things I can think of.
Suppose I want to somehow attack Fred. I can
create a key with the same ascii text associated
with it very easily. With only a little more
effort, I can also duplicate the keyid. PGP adds
new keys at the front of the keyring, so if I
start distributing this new key widely, it will
appear in keyrings before the "real" Fred's.
Whenever this happens automatically, there is some
possibility that the wrong key will be used for
some operations. PGP doesn't help much, because it
is hard to specify the key unambiguously in this
PGP uses more than just the visible part of the
keyID. So at least it will choose the right key to
verify signatures, right? Maybe not. I can apply
the same spoofing technique to the whole internal
keyID, and generated a key that even PGP can't
tell is the wrong one. I think that when PGP tried
to check the signature on a message from the "real"
Fred that it would notice that it had applied the
wrong key, but I'm not absolutely sure on this
point. Anyway, an inattentive or somewhat
automated user will merely notice that the
document signature fails to check out, essentially
slurring the "real" Fred's reputation.
Any other possible attacks?
Greg Rose INTERNET: [email protected]
Sterling Software VOICE: +61-2-9975 4777 FAX: +61-2-9975 2921
28 Rodborough Rd. http://www.sydney.sterling.com:8080/~ggr/
French's Forest 35 0A 79 7D 5E 21 8D 47 E3 53 75 66 AC FB D9 45
NSW 2086 Australia. co-mod sci.crypt.research, USENIX Director.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----