Third party information

Bob Mathews bobmath@earthlink.net
Tue Dec 10 21:00:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 10 December 2002 07:27, Huels, Ralf SCORE wrote:
> How likely is it that that is fake given that on one hand the
> correct person claimed it by Key ID, creation date and two or
> three UIDs and on the other hand the public key I have has about
> 90 signatures

This is all trivial to fake. Duplicating a 32-bit key ID takes a matter o=
f=20
hours on a PC. The creation date is not a problem. Adding the UIDs is a=20
no-brainer. Getting 90 signatures is easy if you can invent 90 bogus keys=
 to=20
sign with.

> one [signature] from a trusted introducer

This is where you hope the trusted introducer can be trusted not to sign =
keys=20
without verifying the fingerprint. Ask yourself, do you want to be a lax=20
introducer?

As to how _likely_ it is that all this is fake... it seems unlikely. But=20
security is like programming Satan's computer, as they say. You have to=20
assume that it's going to purposely do the worst possble thing at the wor=
st=20
possible time, and try to defend against that.

 - bob mathews

-----BEGIN PGP SIGNATURE-----

iD8DBQE99kicPgDecCrBEpcRAoEBAJ95RYkWGKQdJLCdNbOgMhJqh456oQCgsk//
aIGdHIcI988/IFqbWIKrl6A=3D
=3D9BzE
-----END PGP SIGNATURE-----