Greg Sabino Mullane on 8 Feb 2005 02:14:00 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Keysigning: The Aftermath


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
 
Walt Mankowski wrote:
> I just want to add one extra point.  If you're going to do this step,
> and the person whose key you're signing has multiple userids with
> different email addresses, what Eric described above only makes sense
> if you send DIFFERENT secret words to each address.
>
> You CAN'T just send the same message to all the email addresses.  All
> that proves is that at least one of the addresses is valid.  As
> spammers have taught us, faking From addresses is trivial.
>
> There's no point in proving that someone can SEND mail that looks like
> it's from the addresses on the key.  Anyone can do that.  What you
> want to know is if the person can RECEIVE email at that address.
  
Another easier (YMMV) way is to simply sign all of the uids, break the
key apart into separate ones with only one uid/email each, and email the
encrypted and signed keys to each email address individually. Only the
person who receives email at that address can receive it, and only the
owner of the key can decrypt it and thus get your signed copy of the key.
If the person no longer has control of a particular email address, they
don't get your signature on the corresponding uid.
  
- --
Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200502072115
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
 
iD8DBQFCCCDZvJuQZxSWSsgRAhPfAJ9rUPKvex2GNNSQCaox8EIhdRtoEACaApcE
VO6zBdl+NxGpik4hn/4FZ/o=
=qALd
-----END PGP SIGNATURE-----


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug