-----BEGIN PGP SIGNED MESSAGE----- Ok, People... Let's say that I receive a message via a mailing list from an entity. This message is signed with a PGP public key. Being that I am interested in some of the ideas proposed by this entity, I respond to the message, but I fat-finger my mailer and it sends out the message unsigned. However, my .signature is reasonably automated and my public key id is included there. I obtain the the public key associated with the original entity from the keyservers and the signature verifies, but the key on the servers is not signed. Concurrently, I receive a message in response to a message I sent to this entity, which comes to me encrypted with my public key and signed with the private key paired off to the public key I obtained for this entity from a keyserver. Being a believer in anonymity, I feel that whatever person, machine, or thing which placed the key on the keyserver and kindly responded to my message is reasonably expected to be the owner of the private key associated with the public key I obtained. Is this a fallacy? Am I wrong to sign the public key I got from the keyserver and return said key to the address purported to be the entity of ownership? What the entity does with the signature is, in my opinion up to it. Is it unrealistic to assign the probability of two entities being able to generate signatures for the same public key as close to zero? (consider that this is a 2047 bit key) Am I opening myself to attacks? By this, I mean to ask whether or not MY key is in any way possibly compromised in the exchange described. I keep a separate and 'unpublished' keypair to be used for physically met individuals. The public key of this keypair is NEVER sent by any means other than physically. This key signs only the keys of the people I meet in person or have extensive telephone conversations with. While people who recieve the signature of this key also get a copy of it, I only distribute this key to those I trust not to disseminate it further. - --- "Obviously, the US Constitution isn't perfect, but it's a lot better than what we have now." - Unknown PGP key id - 0xDEACDFD1 - Full key available from pgp-public-keys@pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQEVAwUBMowSJc1+l8EKBK5FAQEg2Af/agcalrlyDK+Ku+Qq7cnODOJjFIcsDAjh LLuA6KG2DeDQUiAH72uL5WgdiHQaZroAhqRsFGDic3zmc0YGDQkI4W2KTTsVFi08 ubcX9JCnOGuDWxLIwvBdCX/FxDsPyrhTeEUNjjkXp+5k+BdxzLTfbUgbnLgM/BGJ wD3Bq+evmTr86ul0SLUs3KL5h0488LhalPYTKtm9hdO9f3K01kz5W+FLUK3lXKJb YH2e2Ob2Nr/uSH6ElluSMVGtU09i+s40uloqokzAyB7NuTStSCupqUw0nHQKFIY7 Or8uwmZF6c7ivtacstViZ7/6xM0km7wmoyWsee3gxe63LH/Mqr25/A== =0HFl -----END PGP SIGNATURE-----