Noah silva on Tue, 23 Apr 2002 23:20:23 +0200


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Biglumber - new key signing site



On Tue, 23 Apr 2002 Darxus@chaosreigns.com wrote:

> On 04/23, Noah silva wrote:
> > a.) If I sign the message every time, and you verify the signature, you
> > can be sure that it is at least the same person sending the email every
> > time, even if you don't believe my name is really "noah silva".
> 
> I don't even look at, let alone memorize your key ID, so no, I don't know
> all of your posts are signed with the same key.  And if someone were to

lol, nor do I expect you to (nor do I sign most of these posts...)  But if
you had grabbed my Public key from my web page (or another public
keyserver), and verified the signatures on my emails as coming from the
same ID, and then later sigs in newer emails failed validation, you would
know that either:
a.) I made a new Key, and the public key you have for me is out of date
or
b.) It isn't me.

You could always call me up, or check my web page to see if this has
happened.  Since I can think of very few reasons I would ever change my
key at all, you should be suspicious.

> start posting with a different key with the same name, I would think you
> decided to generate a new key, not that someone else is trying to
> impersonate you.

Perhaps, but if you cared, and you wanted to actually check the sigs, you
would need to get my [new] public key (again, probably from my web page).
If I didn't have on up there, you would have reason to be suspicious.  I
personally would be suspicious whenever anyone regenerates their key, if I
have a reason to care about checking their authenticity.

> > also: I could show up to PLUG with a fake ID and get you all to sign my
> > public key as "Robert R DiCicco".  Just like my employer's building
> 
> Yeah, verifying identities can be tricky.  I know I read of at least
> one keysigning party that required 2 forms of photo ID.  I consider
> PLUG keysignings a forum for people to verify each other's identities
> and fingerprints as they see fit, and give suggestions on how to do so.
> As our keysignings get bigger and less personal (and I'm less likely
> to know the participants) I have been considering requiring people to
> exchange encrypted passwords with me before I sign their key, and I
> think I'm going to start doing that.

That seems to confirm that they own the email address, but not who they
actually are?

If it's important to know their real names for sure (and I am not sure why
it would be?), I would ask for passports instead of state ID because:
 
a.) They are purposely designed to be very much harder to fake.
b.) they all look the same, whereas you might not know what a MI or AL ID
card looks like offhand, making it harder to spot a fake one.

OTOH, some people don't have passports.

 -- noah silva 

> -- 
> "You shall know the truth, and it shall make you odd."
> -- Flannery O'Connor
> http://www.ChaosReigns.com
> 


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug