Re: [PLUG] key-signing Thursday?

Michael Leone on Thu, 18 Apr 2002 13:53:45 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] key-signing Thursday?

From: "Michael Leone" <turgon@mike-leone.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] key-signing Thursday?

Date: Thu, 18 Apr 2002 13:53:58 -0400

Organization: mike-leone.com

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

> > I trust Darxus enough so that if he hands me a prinout with 10 new > > fingerprints, I trust that he hasn't deliberately magled or forged > > any. If he did, the new user will say "Hang on; that's not my > > fingerprint". Unless, of course, the 2 are in cahoots. But hey .. > > you have to draw that paranoia line somewhere ... > > Why? It's possible to be absolutely sure with PGP, provided that you > can rely on the crypto-system (which, as I said elsewhere, may not be > true). No, actually, it isn't absolutely sure, not for real identities, anyway. Consider - any schmuck can make a gpg key with "Mike Leone" on it. Said schmuck can also (probably easily) get a fake ID with the name "Mike Leone" on it - I never bought a fake ID, but they can't be IMPOSSIBLE to find ... Said schmuck sends Darxus fingerprint. Shows up at keysigning with fake ID. Shows it around, and reads fingerprint. You go home, and sign schmuck's key, having been perfectly satisifed. But it ain't me. That might be stretching a point, but all the keysigning does is show that the keyholder has verified to you that he is the keyholder. Not that he says he is who he claims to be. Unless you wanna do a DNA test at every keysigning ... :-) >It's not paranoia, it's simply black or white truth. Why fudge > it when the system makes it so easy to be sure? The paranoia I'm referring to is thinking that the above scenario is being enacted on you. While it's possible, it's not too likely. (similar things have happened, tho - remember the case of that woman, who had been a radical bomb-thrower in the 60s, who then changed her name and identity; got married; and was living quietly until they nabbed her? Even her husband and kids didn't know that she wasn't who she had been claiming to be all those years. Of course, that's an extreme example, and most of the time you trust the people whom you meet and know and have relationships with (friendly or more so) to be who they say they are) ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] key-signing Thursday?
From: gabriel rosenkoetter <gr@eclipsed.net>

References:

Re: [PLUG] key-signing Thursday?
From: "Michael Leone" <turgon@mike-leone.com>

Re: [PLUG] key-signing Thursday?
From: gabriel rosenkoetter <gr@eclipsed.net>

Prev by Date: Re: [PLUG] gpg/mailing list?

Next by Date: Re: [PLUG] What am I missing about RPM?

Previous by thread: Re: [PLUG] key-signing Thursday?

Next by thread: Re: [PLUG] key-signing Thursday?

Index(es):

Date

Thread