On 29/08/17 13:33, Robert J. Hansen wrote: > This is not true except in a theoretical mathematical sense. > > For instance, several people in the community (I know I have, and I > recall Werner saying he as well) have seen PGP-signed spam mails that > are the result of a home user using Symantec's PGP mail proxy, then > getting infested by malware which sends out spam. Since all mail goes > through the proxy and the credentials are cached, the spam mails were > signed.
Ha. OpenPGP-signed spam. That is a really amusing incident. > You can prove origination *only if* you can prove the originating PC was > not compromised. Given how common compromise is today -- a few years > ago Vint Cerf estimated one in four desktop PCs was compromised -- this > is a very high threshold to clear. > > In a theoretical sense, OpenPGP is a nonrepudiable protocol. But in a > practical sense, it is not. I want to note that I said “somebody in the possession of the private key”. I am aware of the “somebody stole my private key” trick for signature repudiation. I did not consider the possibility of malware (thanks for bringing that into my consideration), but the problem is the same. The problem is that credible repudiation of signatures done that way requires that the legitimate key owner (that would be myself) stops using that key and moreover claims that (at least) all the signatures more recent (meaning the actual date –for which in many cases only an upper bound is known–, not by the date claimed in the signature) than the one he wants to repudiate are illegitimate. This is something undesirable. Ideally, there should be no need to throw the key, -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
