-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04/11/2011 06:09 PM, MFPA wrote:
> That's all fair enough, but I still think the standard MITM attack is
> an example of "some hypothetical exploit by some hypothetical attacker
> compromises your communications."
>
MITM is not hypothetical and
On 04/11/2011 07:09 PM, MFPA wrote:
> Hi
>
>
> On Monday 11 April 2011 at 11:49:10 PM, in
> , Grant Olson wrote:
>
>
>> I don't think it counts as the middle if you have
>> access to the email account.
>
>> If I've got your logon info, and I'm accessing your
>> account that way, it's no longer
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 11 April 2011 at 11:49:10 PM, in
, Grant Olson wrote:
> I don't think it counts as the middle if you have
> access to the email account.
> If I've got your logon info, and I'm accessing your
> account that way, it's no longer invisi
On 4/11/11 6:34 PM, MFPA wrote:
>
>>> Unfortunately I'm not able to develope such an attack,
>>> and think there is none of importance. Could you
>>> please help me?
>
>> I personally don't think there is one.
>
> You already mentioned "the standard MITM attack." Isn't that one?
>
I don't thin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 11 April 2011 at 6:06:48 PM, in
, Grant Olson wrote:
>> but WHY should anybody (even an
>> attacker) place an email address in the ID over wich
>> they have no control?
> The obvious example is the standard MITM attack.
[...]
>>>
On 4/11/11 4:18 AM, Jan Janka wrote:
>>> One reason we use GnuPG for is we think it
>>> is significant likeky there's a "man in the
>>> middle attack" or someone has access to email
>>> accounts he should not have. Given that, what
>>> benefit does one take from knowing my communication
>>> pa
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Monday 11 April 2011 at 9:18:36 AM, in
, Jan Janka wrote:
> but WHY should anybody (even an
> attacker) place an email address in the ID over wich
> they have no control?
People make mistakes. And plenty of people have previous email
addre
>>One reason we use GnuPG for is we think it
>>is significant likeky there's a "man in the
>>middle attack" or someone has access to email
>>accounts he should not have. Given that, what
>>benefit does one take from knowing my communication
>>partner has access to a certain email account?
>Th
On 04/10/2011 02:48 PM, Jan Janka wrote:
>
> But my ponit is as follows:
> One reason we use GnuPG for is we think it is significant likeky there's a
> "man in the middle attack" or someone has access to email accounts he should
> not have. Given that, what benefit does one take from knowing my
>>>But the e-mail access control check *does* protect
>>>against the attack scenario where at the time of
>>>keysigning, Eve does *not* have access to Bob's inbox.
>> Yes, but the fingerprint check already protects against
>> that, so why do we need another check?
>Please describe how checking ke
On 4/9/11 8:26 AM, MFPA wrote:
> My understanding is that there is a three-point check:-
As a minor nit -- the protocol you've outlined is a good one, is
commonly used, and is highly recommended -- but it is not the only one,
and special use cases may involve their own different protocol.
There i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi
On Friday 8 April 2011 at 11:58:09 PM, in
, Jan Janka wrote:
>>But the e-mail access control check *does* protect
>>against the attack scenario where at the time of
>>keysigning, Eve does *not* have access to Bob's inbox.
> Yes, but the finge
> But if an attacker puts his e-mail address on a key he claims to be
> mine, he won't get my mail sent to (or encrypted to) him.
If someone somehow gets that key, reads your name in the ID and relies on that
name he might sent mail intented for you to the attacker's email address, that
might ev
On 04/08/2011 06:02 PM, Jan Janka wrote:
> I think there's no benefit, because everybody who issueses a key (even an
> attacker) wants to receive information encrypted with that key, - otherwise
> he wouldn't issue it. Thus he will place an email address in the ID he has
> access to. So I think
>> I wonder how I can check whether the email
>>address in the ID realy belongs to the keyowner.
>You can only check whether the key owner "has access"
>to the email address. You cannot check whether this
>access is in any way exclusive, legit or whatever.
I think so, but WHAT benefit (concerning
Sounds like some people could use a signature type which means: "I
disclaim all signatures made by ".
--
Mark H. Wood, Lead System Programmer mw...@iupui.edu
Asking whether markets are efficient is like asking whether people are smart.
pgpp2yNFuADwp.pgp
Description: PGP signature
___
Hi!
Am -10.01.-28163 20:59, schrieb takethe...@gmx.de:
> I wonder how I can check whether the email address in the ID realy belongs to
> the keyowner.
You can only check whether the key owner "has access" to the email
address. You cannot check whether this access is in any way exclusive,
legit
Faramir wrote the following on 4/7/11 8:29 PM:
> Oh, well, encryption faeries soon or latter will upload your keys to
> keyservers. And you can't prevent people from signing it, specially the
> newbies reading support lists.
I can't prevent it, but I may naively expect people to respect conventi
On 4/7/11 8:05 PM, Jan Janka wrote:
> Hi Daniel,
>
> thanks for the answer, but it seems to me with this procedure you only
> checkwhetherthe person has access to the email address, you
> don't check whether this access is illegal, don't you?
>
> Tace care,
> Jan
>
Well, yes, but the
On 04/07/2011 08:05 PM, Jan Janka wrote:
> thanks for the answer, but it seems to me with this procedure you only
> checkwhetherthe person has access to the email address, you
> don't check whether this access is illegal, don't you?
I have made no claims anywhere about legality or illeg
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
El 07-04-2011 13:06, Charly Avital escribió:
...
> In another forum, one of the members signed my public key and uploaded
> it to the keyservers with his/her signature, without asking nor
> notifying me (the key was already on the key servers, but wi
2011 19:49:50 -0400
> Von: Daniel Kahn Gillmor
> An: takethe...@gmx.de
> CC: GnuPG Users
> Betreff: How to verify the e-mail address when certifying OpenPGP User IDs
> [was: Re: Signing a key (meaning)]
> On 04/07/2011 07:33 PM, takethe...@gmx.de wrote:
> > The reason I as
On 04/07/2011 07:33 PM, takethe...@gmx.de wrote:
> The reason I asked this quetion is that I wonder how I can check whether the
> email address in the ID realy belongs to the keyowner.
The standard way i've seen e-mail address verification done is with caff
("certificate authority fire and forge
Thanks everybody for all the answers.
The reason I asked this quetion is that I wonder how I can check whether the
email address in the ID realy belongs to the keyowner.
Let's say I've been knowing Peter Hansen for quite some time, but I don't know
his email address. Now he tells me it's funny
On 04/07/2011 12:06 PM, Charly Avital wrote:
> In another forum, one of the members signed my public key and uploaded
> it to the keyservers with his/her signature, without asking nor
> notifying me (the key was already on the key servers, but without this
> added signature)
>
> I didn't invite th
Kevin wrote the following on 4/7/11 9:49 AM:
> If nothing else, it
> establishes that you have some kind of relationship with the owner of
> the key you signed. It may establish that you an he/she were in a
> specific place at a specific time (e.g. a keysigning party), etc. The
> words "no informat
On Thu, Apr 07, 2011 at 10:31:24AM +0200 Also sprach takethe...@gmx.de:
Hi everybody out there,
I put some thoughts on the meaning of signing a key and came to an
unusual definition. Maybe someone likes to discuss it with me, since
I'm not quite sure whether I should recommend others to interpre
On Thu, Apr 07, 2011 at 10:31:24AM +0200, takethe...@gmx.de wrote:
> Definition: Signing a key means saying: "I confirm the full name in
> the key's ID is the keyowner's right name. The email address in the ID
> is the one the keyowner put there, but I cannot guarantee it's
> his/hers.
Yes you can
Hi everybody out there,
I put some thoughts on the meaning of signing a key and came to an
unusual definition. Maybe someone likes to discuss it with me, since
I'm not quite sure whether I should recommend others to interpret
signing that way.
Definition: Signing a key means saying: "I confirm th
29 matches
Mail list logo
