Gregor Zattler: > Hi Steve, gnupg users, > * Steve Jones <st...@secretvolcanobase.org> [24. Jan. 2014]: >> Which reminds me that I'd really like an email client that >> automatically signs keys at level 1 (persona) of anyone who replies >> with a signed email that quotes a significant portion of the text I >> sent, as this effectively counts as a challenge response protocol in my >> book. > > That's an interesting idea. But there is still the possibility > of a man in the middle attac... The web of trust is supposed to > counter MITM attacks by signing keys only if the verification was > done directly (no middle person).
maybe you already discussed that, but what about sending someone an encrypted email (with the challenge) and wait for an encrypted reply with the signed challenge? (as you seem to talk only about sending a clear text challenge) Personally, I don't want such behaviour. When I'm making a certification, then it's me doing it manually as I have the responsibility. I don't want some program to be able to make automatized certifications with my key. Here's a quote from an email on a very similar topic: From: Robert J. Hansen <r...@sixdemonbag.org> Subject: Re: trust your corporation for keyowner identification? Date: 2013-10-17 13:54 -0700 >> In my proposed scenario, the corporation [e.g. HR] is doing nothing more than >> providing a means for the participants to know that Bob is actually Bob >> because the company has checked his id and said he is and providing an >> authenticated means (again, IT being a black-hat aside) to communicate >> with Bob and verify fingerprints, etc. > > Under this scenario, the entire thing is dangerously bogus. > > When I sign a certificate, I am sending a message: "I am vouching for the > identity of X." Under your scenario, I'm no longer vouching for the identity > of X. I would instead be saying, "Someone else who is not listed on this > signature has vouched for the identity of X. I am signing this without any > direct personal knowledge of X's identity." > > If you're vouching for X's identity, you need to take positive steps to > verify X's identity. If someone else is vouching for X's identity, then let > them sign X's certificate. Why should you get involved without doing your > own positive verification? Two replies later in the thread there was Stan Tobias <st...@privatdemail.net> who clarified: > [That] you vouch that the person told you "This is my key". Making a > certification is *not* a confirmation of an identity. I like the term "vouch" here, because it highlights the responsibility in the Web of Trust of the person doing the certification. Cheers, -- nb.linux _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
