Walt Mankowski on 6 Feb 2005 20:43:23 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Keysigning: The Aftermath


On Thu, Feb 03, 2005 at 10:45:19AM -0500, Eric J. Roode wrote:
>    Now for the first optional step.  You now know that you hold the
> key that is associated with the person whose identity you verified
> last night.  What you don't know for certain is that that person
> actually is associated with the email addresses that is claimed by the
> key's IDs.  (Nothing stops me from claiming to be bgates@microsoft.com,
> for example).  It's unlikely that someone would put a fake email
> address on their gpg key (what would be the point?)  but it is
> possible, so you may verify the email addresses as follows:
> 
>    Send a message to each of the key's email addresses.  The message
> you send should be encrypted (so it can only be decrypted with that
> key), and it should contain some random phrase, word, or question.
> Nothing elaborate; you just need to verify that the recipient can
> decrypt the message.  Something like "Hi, nice to meet you at the
> keysigning.  Please send me an encrypted reply that contains the word
> POTATOES, and I'll reply with your signed key.  Thanks!"  When you get
> the proper reply, you're ready to sign.

I just want to add one extra point.  If you're going to do this step,
and the person whose key you're signing has multiple userids with
different email addresses, what Eric described above only makes sense
if you send DIFFERENT secret words to each address.

You CAN'T just send the same message to all the email addresses.  All
that proves is that at least one of the addresses is valid.  As
spammers have taught us, faking From addresses is trivial.

There's no point in proving that someone can SEND mail that looks like
it's from the addresses on the key.  Anyone can do that.  What you
want to know is if the person can RECEIVE email at that address.

Walt

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug