* Jean-Sebastien Morisset ([EMAIL PROTECTED]) [010917 13:15]:
> I'm really enjoying GnuPG, especially the auto-fetch feature for unknown
> keys (which never worked for me in PGP). As I accumulate public keys, I'd
> like to lsign the keys (--lsign-key cmdarg) to remove that little warning.
> Unfortunately, there's no good way to authenticate the key.
>
> What do you guys do? Put up with the warning? Sign the key even if you're
> not sure? Use the X-PGP-Fingerprint header as a second validation? Use
> fingerprints in signatures?
Well, your signature on a key is your certification that this key
actually belongs to this person. Don't go and sign a key unless you're
willing to make that statement; it defeats the whole purpose! For
similar reasons, an email header or a .signature provides *NO* added
information that this key is being used legitimately; if I made a bogus
key that said Jean-Sebastien Morisset I could send mail to the list with
a signature that other people would see came from YOU. What's to stop me
(as a malicious forger) from also inserting the key's fingerprint in the
mail? Therefore, seeing a fingerpring in a header or signature adds no
trust that the key being used is valid.
Worse yet, what if I was able to intercept your email via a
man-in-the-middle attack? I could strip out your signature and your
fingerprint, and insert my own. If people took it at face value "yeah,
that looks like a js post; there's his signature, there's his
fingerprint" and decided to trust that key, this would be bad, bad news
for you. What if someone then wanted to send an encrypted message to
you? They do so using the public key I referenced in the email I'd been
altering, and now I can see the encrypted message. Not very secure, is
it? The system is only as trustworthy as far as its keys can be trusted.
If you don't like seeing a warning that you can't trust this key, you
have a few options:
1. validate the key yourself. Find the person whose key it is and verify
it with them by asking to see their passport and checking that their
fingerprint is the same as the fingerprint on your keyring. Then sign
their key.
2. Don't verify signatures made with untrusted keys. Tell mutt not to
automatically verify signatures, and just do it manually when you get an
email from someone whose key you trust.
3. Take the warning for what it means: This is a good signature with
this key, but there is no indication that this key belongs to the person
it claims to belong to.
>
> We should have a little poll. :-)
The first option would be best for the web of trust, but personally I'm
using #3.
--
Vineet http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
PGP signature
