mysterious PGP release-signing keys
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please excuse the crosspost, but does anyone know *who* generated and/or owns these keys? 0xBB1EEF1B Verify 0xC8501551 Verify Key for http://www.arc.unm.edu/~drosoff/* 0xAA9AE13F Verify PGP 6.0.2 PP - RSA 0x772B7382 VERIFY <VERIFY@gnwmail.com> They seem to be used for signing/verifying PGP releases (e.g. the 602 by CKT at Replay), but there's nothing on the keys that identifies the responsible engineer who compiled the source, nor do some of them seem to be certified by anyone in the WoT. Questions have been raised about the authenticity and security of those compiles and these keys. dave -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 Comment: Get interested in computers -- they're interested in YOU! iQA/AwUBNn11mJBN/qMowCmvEQI4IwCfad0S9Algw7PPDsgWChimC4Cx6dcAnjtu h2trwMi08tJMCD76W6W8DP/L =TFuT -----END PGP SIGNATURE-----
Please excuse the crosspost, but does anyone know *who* generated and/or owns these keys?
This is yet another a good example of why one should never confuse using PK certificates with security. An email PGP signature looks impressive but in practice it is useless. - Alex -- Alex Alten Alten@Home.Com Alten@TriStrata.Com P.O. Box 11406 Pleasanton, CA 94588 USA (925) 417-0159
This is yet another a good example of why one should never confuse using PK certificates with security. An email PGP signature looks impressive but in practice it is useless.
It is usefull iff you can verify the validity of the used PK certificate. That's what the web of trust in PGP is for.
Unfortunately the "if" is false. I have no idea if your fancy PK signature really represents you. Just look at the recent trouble Black Unicorn has had with someone else using the same name affiliated with a key stored on the Network Associates PGP key server. Dave could not verify a PK signature for the PGP software distribution itself. PKI, or a web of trust, looks good on paper but in practice it does not work when scaled up to large numbers of networked users. - Alex -- Alex Alten Alten@Home.Com Alten@TriStrata.Com P.O. Box 11406 Pleasanton, CA 94588 USA (925) 417-0159
-----BEGIN PGP SIGNED MESSAGE----- Hi Alex!
This is yet another a good example of why one should never confuse using PK certificates with security. An email PGP signature looks impressive but in practice it is useless.
It is usefull iff you can verify the validity of the used PK certificate. That's what the web of trust in PGP is for. Cheers, Patrick - --- PGP-KeyID: DD934139 (pafei@rubin.ch) encrypt mail with PGP if possible more about PGP on http://www.rubin.ch/pgp/ (english and german) what ist the web of trust? see http://www.rubin.ch/pgp/weboftrust.en.html Das Vertrauensnetz von PGP: http://www.rubin.ch/pgp/weboftrust.de.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQESAwUBNoH0kpVgYabdk0E5AQHENgfjBRrYXjTfvo6NMbx/ktK23yeiKibeTfSZ lbjZCdT+Vp433IAAtz4EHgC1vbSHaA04CdvPrX2cTYqeJAP7RQzGgbZVg7P9p23C rFYoPtLdCXEiH9GDG48TuqFTUBvJrLMIZXIoSS/ZhMQMASim9zDF/gLQP0/VGicc QwCjwogFed+R0uvoleZh0YhhEnkIKkLDM4a9pDcLKi9uryspeD6VrWevegmJpzXM aSQBlpMuTdOXcmaThEqgblP7YeAzK8Q4IdT2oNsCpUx4DntzX/bJ5fOKYjRLdy10 4ctSlXOqYOWZmjVnF4lRFDmI1dwfX0hf7uHTBRG6lh913hAIVg== =ktwt -----END PGP SIGNATURE-----
participants (3)
-
Alex Alten -
Dave Del Torto -
Patrick Feisthammel