GPG signatures

prata at ghostlike.homelinux.org prata at ghostlike.homelinux.org
Tue Dec 30 16:23:39 UTC 2003 

On Tue, Dec 30, 2003 at 11:54:45AM -0400, Trevor Smith typed in a frenzy:
> Automatic downloading of keys makes me wonder what the use of PGP / GPG
> signing really is. All it will do, in this case, is tell you that the
> person who sent the message is the person who uploaded the key. Which,
> in reality, tells you nothing.
 
> Yes, I suppose keyservers will only accept one key for one email
> address (is this true?) so if I'm the one who uploads a key for
> trevor at haligonian.com *FIRST*, then the "real" trevor at haligonian.com
> would be the one posting to this list. But even though I know this
> (since I'm him), you wouldn't have any proof of it, since you don't
> know I'm him. Maybe I'm someone pretending to be me and I created a key
> and started sending emails to this list. Unless you emailed me
> directly, you'd never know (presumably without much more sophisticated
> hacking a "fake" trevor wouldn't be able to intercept my email).
> 
> Or suppose I just created a "slightly faked" domain and address like
> trevor at haligonan.com (notice the missing "i" in "haligonian"), created
> a key, uploaded it and started signing messages. If you auto-download
> keys then you might never even notice that this is a "new" trevor.
> 
> If you only get keys manually, you would at least have a little more
> awareness of some of that spoofing and maybe more direct knowledge of
> who you're communicating with.

Trevor, I agree with you entirely. This is one reason why I pay such
close attention to the e-mail addresses of individuals that do sign
stuff. I typically don't fetch keys automatically. I have to admit
though, that setting gpg to fetch those keys automatically does sound
quite attractive. It can be a pain to fetch them manually, but this
is only if you're fetching a ton at a time every other frickin' day.

Since this isn't the case it's quite alright. But all of my diligence,
I'm a moron and I have yet to put my public key up on my web page. 
Now how's that for stupidity. ^_^

Alex

http://ghostlike.homelinux.org/security.htm (Where my key will be when
I'm done bein' lazy. hehe)

More information about the users mailing list