GPG signatures

[Trevor Smith]

On Tue, 30 Dec 2003 01:12:13 -0500, Lorenzo Prince wrote:

>This is true, but with the current GPG tools, it seems much easier, at least to
>me, to simply export my key to a keyserver and let anyone import it if needed.
>More importantly, if I export my key, most servers sync with the server my key is
>posted on so in most cases it doesn't matter what keyserver you use.

Automatic downloading of keys makes me wonder what the use of PGP / GPG
signing really is. All it will do, in this case, is tell you that the
person who sent the message is the person who uploaded the key. Which,
in reality, tells you nothing.

Yes, I suppose keyservers will only accept one key for one email
address (is this true?) so if I'm the one who uploads a key for
trevor at haligonian.com *FIRST*, then the "real" trevor at haligonian.com
would be the one posting to this list. But even though I know this
(since I'm him), you wouldn't have any proof of it, since you don't
know I'm him. Maybe I'm someone pretending to be me and I created a key
and started sending emails to this list. Unless you emailed me
directly, you'd never know (presumably without much more sophisticated
hacking a "fake" trevor wouldn't be able to intercept my email).

Or suppose I just created a "slightly faked" domain and address like
trevor at haligonan.com (notice the missing "i" in "haligonian"), created
a key, uploaded it and started signing messages. If you auto-download
keys then you might never even notice that this is a "new" trevor.

If you only get keys manually, you would at least have a little more
awareness of some of that spoofing and maybe more direct knowledge of
who you're communicating with.


-- 
 Trevor Smith    |    trevor at haligonian.com