-----BEGIN PGP SIGNED MESSAGE----- J. Michael Diehl wrote: I'm having a philosophical problem regarding when to sign someone else's public key. Obviously, if you watch someone generate a key, and they physically hand you a copy of it, you should sign it. Fortunately, life has been this good to me about 5 times. But what if life isn't so good? Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? Bad idea! The danger is not especially that the person you're talking to isn't who he says he is. Chances are you've never met him and never will. The danger is that a third person is intercepting messages and substituting his own keys. This allows him to monitor your encrypted traffic, which is what encryption is supposed to prevent. My own rule for signing keys is that there must be a key verification independent of the net. i.e. nothing received by e-mail can be depended on to verify a key. If you live any distance from the other person, the most economical method is by postal mail. I will sign keys when I receive a mailed photocopy of any "official" picture ID, along with a signed statement containing the key "fingerprint" (-kvc), which matches the fingerprint of a key received via e-mail. You can mail a letter anywhere in the world for less than $1.00. Any "spoofer" short of governments (at either end) or organized crime will have a hard time intercepting much less altering letter mail. Another possibility is a phone verification. The person who will be signing the key should call the owner of the key at a -listed- phone number (use the out-of-town phone books at the library, or check with information at (xxx)555-1212.) Don't rely on a phone number in e-mail; it could be the spoofer's. Once again, though, a government or OC could arrange to intercept/divert incoming phone calls. I also carry business-card-size pieces of paper with my name, net address, and key fingerprint, with me. I give them out at parties, or anytime I physically meet someone who is on the net. Person's receiving the paper can use it to verify that the key I send them via e-mail has the same fingerprint as on the paper. Ideally, anyone giving you such a card should also show you a driver's license or other picture ID, before expecting you to go home and sign his key. Phil Zimmerman has endorsed the idea of mail and phone verification; this is the main reason the key fingerprint feature was added to PGP. Phil signed my key based on a phone call. Based on mail verification I just signed a key from Taiwan! I've also signed two keys from Germany with mail verification. There are those (e.g. Perry Metzker) who think this standard is too loose. Opinions differ. -----BEGIN PGP SIGNATURE----- Version: 2.3.2/EWS iQCVAgUBLEThEt4nNf3ah8DHAQGJfgP/W85P6IEkGYkmKeFe/px0XPfMvDqTMWXA 5kJ2cTIDRdSbLqDh0VdMsUaAtDR2nkWJKCFRnXA+GEttXy31gPGq6bY/Q19U8dAq VzNHY0o2ldzrDmp77BQo2kqTapENvIxKkXFiFAATleoLt6hMAgfejRlci/uTfG7Z NoCwQVeac7c= =wwV4 -----END PGP SIGNATURE----- -- edgar@spectrx.saigon.com (Edgar W. Swank) SPECTROX SYSTEMS +1.408.252.1005 Cupertino, Ca
participants (1)
-
edgar@spectrx.Saigon.COM