Re: [PLUG] confirming my identity

Jeff Abrahamson on Thu, 12 Jul 2001 17:50:08 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] confirming my identity

From: Jeff Abrahamson <jeff@PURPLE.COM>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] confirming my identity

Date: Thu, 12 Jul 2001 17:32:05 -0400

>received: (from jeff@localhost) by descartes.purple.com (8.9.3/8.9.3) id RAA21366 for plug@lists.phillylinux.org; Thu, 12 Jul 2001 17:32:05 -0400

Mail-followup-to: plug@lists.phillylinux.org

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.5i

On Wed, Jul 11, 2001 at 05:15:08PM -0400, Dave Turner wrote: > Jeff Abrahamson wrote: > > > > On Wed, Jul 11, 2001 at 02:38:05PM -0400, Darxus@chaosreigns.com wrote: > > > My public key, as you may have noticed, does not have any information on it > > > that can be confirmed by photo ID: > > > > > > pub 1024D/0E9FF879 2000-09-05 Darxus <Darxus@ChaosReigns.com> > > > Key fingerprint = DE37 8846 3B06 B97C F661 D68F 7FB5 B0BE 0E9F F879 > > > sub 1024g/2EEAB976 2000-09-05 > > > > > > > > > It's been signed by a number of plug regulars who know, personally, > > > who I am. If you don't, you may want to consider alternate methods of > > > verifying my identity, so you can sign my key. > > > > > > Like emailing me a password/phrase, so that only I (the person with the > > > email address darxus@chaosreigns.com) would know it, and so you could > > > know who me is. > > > > But then how do I know that you didn't cleverly intercept the mail > > from the real darxus? > > > > ;-) > > > > -- > > Jeff > > > > Jeff Abrahamson <http://www.purple.com/jeff/> > > Because you encrypted the message using his public key, and you brought > with you the fingerprint of the key you encrypted with. So, the person > you meet at the meeting has the same keys as the person who has the > e-mail address. True, but the extremely paranoid point is that all I know is that the key belongs to a human being (presumably ;-), an entity capable of attending a meeting and reading mail. I don't know *who* it is. And that's part of the point of the signing. In other words, he can't provide further proof of who he is except that he's darxus@chaosreigns. If his key said "Jon Johanssen" and he shows up at the meeting with his Finnish passport saying that he's Jon J himself, then I know something more about what I'm signing. It's still possible to fake, but it's just harder. Consider the following: I kidnap the real Darxus, then I adopt his email persona. I'm a programmer, so I even write some cool free stuff. Now I issue a key signed darxus, then come to the meeting. People sign my key, because they did what you propose above. Now, I release Darxus (maybe ;-). He can't very well revoke the signed key. It's thorny. (He would get other people to sign a new key, of course, and to revoke their signatures of his key. But it's much harder. This is all very paranoid, but that's what the web of trust is about. -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] confirming my identity
From: Darxus@chaosreigns.com

Re: [PLUG] confirming my identity
From: Dave Turner <novalis@novalis.org>

References:

[PLUG] confirming my identity
From: Darxus@chaosreigns.com

Re: [PLUG] confirming my identity
From: Jeff Abrahamson <jeff@purple.com>

Re: [PLUG] confirming my identity
From: Dave Turner <novalis@novalis.org>

Prev by Date: Re: [PLUG] apt-get / dpkg question

Next by Date: Re: [PLUG] apt-get / dpkg question

Previous by thread: Re: [PLUG] confirming my identity

Next by thread: Re: [PLUG] confirming my identity

Index(es):

Date

Thread