On 3/03/11 3:17 PM, David Shaw wrote: > > The premise (more or less) was that a guy named Martin (RM) was on a > mailing list and signed all his mail. After some time, a new guy > (FM) shows up and claims that he is, in fact, Martin. FM may have > his own key or may not have a key at all. It doesn't matter, > because the members of the mailing list can see, by means of RM's > signatures, a continuity of communication. They can tell RM apart > from FM, simply because only RM can issue the signatures they've > been seeing on his messages.
Right, so FM's only spoofing ability via a key would be to create one in the same name as Martin and hope that people collecting keys would just add it and not double-check the key ID/fingerprint. I'd misread that as FM doing something sneaky to generate a key that had a matching key ID (though probably not a matching fingerprint). > Now, there are limits to this technique. They can't tell who is > really "Martin" (i.e. they can't bind the name to a real-world > person) without some other information, but in the context of > Internet communication that frequently doesn't matter. That's probably the case for a lot of GPG usage. > They can tell which one is the guy they've been talking with for all > this time. Which one is *their* Martin, if you like. Which is one of the valuable sides to signing all or most messages. It helps prove when spoofing has occurred. > Despite all the noise in the thread, it's nothing terribly odd. > It's just the way nym keys work. Yeah, I played with that years ago, but for the most part it was just too irritating for most things I wanted to do. Anonymity and pseudonymity can be useful, but for my part that's only for certain specific projects. I did once create one to play with a journalist researching the Echelon program in the 1990s, that was fun, even got him to use one of those international releases of PGP. Regards, Ben
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
