On message signing and Enigmail...

gnupg at lists.grepular.com gnupg at lists.grepular.com
Wed Feb 1 22:05:31 CET 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/02/12 20:45, Robert J. Hansen wrote:

>> On the issue of signing:  I do sign my messages, and have
>> uploaded my public keys to key servers, so they are available to
>> check that no one has changed my message.
> 
> Except that it doesn't.  What's to prevent me from creating a 
> certificate with your name and email address and making posts in
> your name, with a signature from a certificate that claims to be
> yours?
> 
> Nothing -- and that signature is every bit as credible as the one
> that's from your own certificate.  You might say, "but that
> certificate's a fraud, my certificate's real!", but the Christopher
> Walters impersonator will say the same thing about you.  There's no
> way to check.

Isn't this the whole point of the web of trust?

And if somebody uses the same key to sign mail repeatedly it builds a
history and an identity. It doesn't stop somebody else coming in and
using a fake key, but that person can't successfully claim to be the
same person who signed all the other mail. Not if the person who
actually signed all of the historical mail still has access to that
key and can call them out on it.

I've posted using the same key on probably a dozen mailing lists, I
use it for all of my personal and work email. I use it to sign all of
the comments on my blog. I use it to sign the front page of my
website. There is very definite and obvious value in using the same
key in multiple places to establish the connection between your key
and your identity. Mailing lists are just another one of these places.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----

iQGGBAEBAgBwBQJPKakbMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBF/BB/kBNf1WUxkR
+gNP1NIirxIykvDZZFZfQuagWssbHncwQVpVz+rMF3W/NbmibL/BItyg3F8iufQD
b6ZuyUuQ7cU5ZBLnm4SFLCdZkW/G5SCEPon5KRTJUhkl9MflBEKwt/gb3/o3W8hP
4XVvVdsM/20r2GviGHZE5h5Pu/YtAdgFetyGeQckuAIioixIDuEAE8fgHYhUSrPR
2TtVjEyq5Pk8GoUJTAQlDBAIlVr0/2YhSwwNI9DMSB/IXp+5UcU2XHciuQsvagDF
8OsOyxwHJfzM/jYPUUTmFybnnEi59lo/NQYypWDISCGbe6IyKfSIxLjHXnR+ohU9
zrT+Iy4V+SC3
=4Hyt
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list