Ah, so the key servers federate! Cool. Thinking about the Man-in-the-Middle PKE attack, that is a little difficult with OpenPGP.
That involves a man in the middle substituting their public key for mine and also arranging to intercept messages sent to me that are encrypted using the MitM public key for decryption and re-encrypted with my actual public key. Since I can easily tell whether or not the public key retrieved from any one of the key servers is one that goes with the secret key I have, it is pretty difficult to prevent me from detecting a public-key substitution. And I can check even deeper than matching fingerprint reports. I think that is enough for two distant participants who are known to each other to find a way to confidentially exchange something private known only to the two of them as a way to confirm that their respective public keys are authentic and worthy of signing. It does depend on our actually being known to each other in a way that allows such a procedure to be contrived. I'm going to try that with a distant friend of mine. - Dennis -----Original Message----- From: Daniel Shahaf [mailto:[email protected]] Sent: Monday, October 15, 2012 11:22 To: Dennis E. Hamilton Cc: [email protected] Subject: Re: key signing Dennis E. Hamilton wrote on Mon, Oct 15, 2012 at 11:07:56 -0700: > <https://people.apache.org/keys/committer/orcmid.asc>. (I'm not sure > where this is fetched from, so I'm not sure how counter-signed versions Currently keys.gnupg.net https://svn.apache.org/repos/asf/infrastructure/site/trunk/people/keys-fetch.py > show up.) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
