Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? You have to admit that this is possible albeit unlikely. What good is key certification if it only "probably valid?" I've noticed that many of the keys on the server are signed with the same person's key. I doubt that these people have had physical contact with each of the people who's key that they've signed. Am I just being paranoid, or is there a valid issue here? I welcome any of your comments.
I understand your precaution and problem very well. I have had similar fears. Recently, I was in similar situation recently. I wanted to exchange keys with someone I have met only once. The situation as it arose actually ended up working okay. We exchanged keys after encrypting them with the normal encryption option, with a password being someone at the place we meet. Knowledge common to only a few select people. Then we started a talk session at a prescribed time at the relevant addresses and tried to rely on information specific dialogue to verify one's person as the one in question. Without physically being there this seems like at least a little extra security. As to the broader question you are really asking on verification I am unsure on how it can be solved. Obviously my situation was unique that we had met and could decide on an information basis, that would seemingly be hard to duplicate, but this is not always available. Paul -- R O All Comments Copyright by | Technofetisht A N Paul S. Goggin (1993) | Cypher, Cyber, Chaos V Information Broker | Ergoflux, Interzone E chaos@aql.gatech.edu | Carpe Diem: Stop the Clipper wiretap chip Finger account for latest _Phrack_ | Public Key: PGP and RIPEM available For anonymous communication:---> anonymus+4744@charcoal.com ------------------------------------------------------------------------------ Title 18 USC 2511 and 18 USC 2703 Protected -- Monitoring Absolutely Forbidden
participants (1)
-
Paul Goggin