[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No Subject



-----BEGIN PGP SIGNED MESSAGE-----

Of course.  My signature was bad.
  I got a message in response to a request I made to someone for their public
key.  I wanted to check the signatures that they included with their posts
to cypherpunks, but their key was not on the keyservers.  The key they
included was completely unsigned, and when I use it to validate their
previous posts as well as the message they sent which included the key, the
signatures come back as bad, the contents of the file changed.  Names are
appropriately withheld (I hope).  As I understand the bcc: definition, only
I and the first smtp server this message hits should know who it's to.  I
don't know if anyone else reading this mailing list needs this info, but
just in case... here's my reply to the message.

At 10:03 PM 1/28/96 -0800, you wrote:
>Sorry, I'm a newbie to Internet, and also the Internet usage of PGP.  I just
>participated in a local keysigning meeting, so maybe my key will find its
>way to a server.

Don't worry about being a 'newbie'.  Everyone starts somewhere.  However,
your key will usually not 'find its way' to a server without you
specifically sending it.  The keyserver I usually use is accessed by sending
a mail message which fits the following format.  As far as I know, all the
keyservers use this format to add or update keys in their databases.  You
only have to send it to one keyserver, and it will propagate to all the
others.  I have indented the text so that no handlers decide to interpret it
as a new message.

- - To: [email protected]
- - Subject: ADD
- -
- - -----BEGIN PGP PUBLIC KEY BLOCK-----
- - Version: 2.6.2
- -
- - [key deleted to protect the innocent]
- -
- - -----END PGP PUBLIC KEY BLOCK-----

>I'm sorry to have to admit that I don't even know how to do this!  Newbie
>alert!

If you don't admit you don't know something, nobody will usually tell you
how to do it.  Also, you should sign your own key.  That will make it harder
to forge, I think.  The reasons were spelled out in a couple of the web
pages I read, but I've forgotten them.  It has something to do with either a
denial of service attack or a man in the middle attack, or both.  The
command to do this is:

pgp -ks 0xHEXKEYID

Honestly, I've only just begun to use pgp myself.  Also, you should add your
e-mail address to the user-id of your key.  The command to do so is: 

pgp -ke 0xHEXKEYID

You will be asked if you wish to add a user id to the key.  Say yes, and
give it your e-mail address.  What this does is it allows people who are
using pgp-enabled mailers to directly encrypt messages to you without
choosing your key manually.

The reason that I have not encrypted this message to you using the key you
provided is that when I extracted the key and re-checked your message, the
signature was no good.  I've found that (using eudora) I must turn off the
word wrap feature of my mailer to allow for good signed messages out.  Of
course, having said this, I'll probably not get a good signature on this
message.  Let me know if it signs ok.

Now, I have a question.  Which attack(s) is/are a person vulnerable to when
distributing an unsigned public key in the open?  Could this actually be a
complex man-in-the-middle attack?  Am I paranoid?



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMQzROLTS4SjerN/RAQGLNwP8DMXP1BLdeygfEaBF//lYZHkxWGFaFx9L
R59KJQ/VaYVU/Q17bFDhXyCztu2IRlzLhBqno+5uHsZTL01M3D1dyXGDBvlxY+FB
kNaClKzeXYqA3Or7Ny2mcgyZW/bGXA6v3Z+RQgDuVrXsJz5wGP/UxBU3Ppr05+qL
i+5KB2efLxA=
=iXlS
-----END PGP SIGNATURE-----