|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Biglumber - new key signing site
|
I know this will probably provoke a flame-storm upon me, which isn't my
intention, but here goes:
I don't mind putting up my (public, obviously) key, but what's with the
signing. Do they have to be signed to put them up?
Yes, I know the "reasons" for key-signing, it's just that from my point of
view, I could care less if someone really believes that I am who I say I
am. My goals are mainly:
a.) If I sign the message every time, and you verify the signature, you
can be sure that it is at least the same person sending the email every
time, even if you don't believe my name is really "noah silva".
b.) To send and receive encrypted messages to/from people I know.
now: yes, it's true that if I put up my public key on my web page, some
3rd party _could_ fake out my web page for someone looking for my public
key, and give them a "special" one. Then they could spoof my mail server,
grab the message, read it, and re-encrypt it with my public key, and send
it to my real address, but I would _still_ notice if it wasn't signed with
the sender's private key. (and yes they could have done this to me too,
so I would get the friend's wrong public key). This may be easily done in
isolated cases, but it is a tremendous amount of trouble to go through on
a wide scale, and once someone has my key, it's too late.
also: I could show up to PLUG with a fake ID and get you all to sign my
public key as "Robert R DiCicco". Just like my employer's building
started requiring people to show ID when they sign in (so they can know
they are signing their real name) after 9/11. I brought up the question
"If teenagers can get fake IDs to buy beer, don't you think terrorists can
manage it?"
In fact, I think it would be EASIER for someone to get a fake ID than to
spoof my web page and email server for extended periods of time (not to
mention, the _right_ period of time).
Maybe I am missing something though, I am not that big into PKI?
-- noah silva
On Tue, 23 Apr 2002 Darxus@chaosreigns.com wrote:
> On 04/23, Greg Sabino Mullane wrote:
> > Since PLUG is definitely the most "crypto-aware" LUG that I know of,
>
> Pretty cool.
>
> I encourage everyone to add a listing with their key on this site
> (http://www.biglumber.com/), so when people look at the listings,
> they see that Philadelphia has by far the most listed people, and are
> encouraged to come to a keysigning. We are currently tied for the most
> people with New York City.
>
> I've created an entry for PLUG keysignings, and sent in a number of
> suggestions.
>
> Yes, I know the PLUG notes are not wrapped - this is related to one of the
> suggestions I've sent to Greg.
>
> --
> "Blessed are the cracked, for they shall let in the light."
> http://www.ChaosReigns.com
>
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|