-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/19/2016 05:34 AM, Nathaniel Suchy wrote: > I've noticed a lot of users of Tor use PGP. With it you can encrypt > or sign a message. However how do we know a key is real? What would > stop me from creating a new key pair and uploading it to the key > servers? And from there spoofing identity?
Yes, you could create a key with user ID mirimir ([email protected]). And you could share it with others, pretending to be me. But email to [email protected] goes to me, not to you, and I'd be unable to read it. So I'd probably reply, attaching my public key. I could also download the fake key, and alert the sender. But Riseup could do that, and also filter out messages going to their fake key. Adversaries that could MitM Riseup's connections with other mailservers could also manage that. But correspondents who bothered to check https://keybase.io/mirimir could determine whether or not they have the right key for me. In order to change keys, an adversary would need to make coordinated changes to four online accounts and the VM that I'm using. Possible? Sure. But not so easy. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJWxxReAAoJEGINZVEXwuQ+63kIAMk9S4gWczEPMKt1aJQF0+ev EnNxyExKaWOBWRoCJst7NUdVtr/vwh4mu29p6fsOrEHP+h/BfwLHaHqKgO+KJGE/ QxMgWcoUUh0rHkk5kRaosGFheJ2J94cVwL0XXoTXFVUwDKJ+XUvVQmEY4AKVSdAg vc99/IZ23qxP4MKwSqcYPOsdPUCR4v4J5EKWqCMZdqnFOpQI36b0f2Q82iPh8Xfv qA1rOl6Kogx1gL992mNJ/4NRaZUFK40/QEubTyxAKi2/XzYUu6cjcEtyitoByc7V lWEW11yztYW8mUm8LdVQUNT7kJU+wc+GMCdVO3UAINy4Cg/yuuBh3EP7QwaPOfo= =UdyX -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
