[lug] Public Key Signings

Neal McBurnett nealmcb at avaya.com
Wed Oct 11 13:14:09 MDT 2000


-----BEGIN PGP SIGNED MESSAGE-----

Once upon a time, Michael J. Pedersen <marvin at keepthetouch.org> wrote:
> I'm doing public key signings, and will ask people to please email
> me a reply if they wish to have me sign their public key.

Thanks for taking this on, Michael!

I'm sorry I didn't get around to reading this thread until now.  I've
been a PGP user since 1993, when Phil Zimmerman, author of PGP, who 
lived in Boulder at the time, gave a talk for the Front Range Unix  
User's Group.  I did a bit of research on the PGP Web of Trust as it
existed 1995-1997:
        http://bcn.boulder.co.us/~neal/pgpstat/

> When doing so, simply send a reply with your public key, and sign
> it. I'll find people at the meeting on Thursday, and we'll deal with
> key signings then.

You've talked of a driver's license.  But that only verifies someone's
name.  For proper security, you should only sign an email address on a
key if you have verified the email address also.  People can claim any
email address they like on a key.  Suppose you were to sign my key
with an email address of <nealmcb at whitehouse.gov>.  Subsequently, when
you get email in which I forge that as the From: address (also trivial
to do), GPG would assure you that it was my signature, as verified by
you.  Then you (or other people that trust your signature) might
mistakenly conclude the email really was from someone at the
White House.

For email verification, you could e.g. require a signature on text
that was sent as a challenge to *only that email address*.  Or just
get someone you know to vouch for it.

It would be pretty easy to point people to a web page that would send
them a challenge via email, and they could sign it and paste it into another
web form or mail it to you.  The challenge should include the
email address and some random string of text like $RANDOM.

> If you need some assistance getting your emailer setup, please
> either email me at marvin at keepthetouch.org or read my (slightly
> outdated, but being worked on) howto at
> http://www.keepthetouch.org/crypto.html Talk to everybody soon! 

Has anyone ever discussed some sort of Netscape plug-in for
GPG (or PGP)?  That is what my wife currently uses....

Cheers,

Neal McBurnett <nealmcb at avaya.com>  303-538-4852 Denver
Avaya Inc, the former Enterprise Networking Group of Lucent/Bell Labs
http://bcn.boulder.co.us/~neal/        (with GnuPG/PGP keys)

> Michael J. Pedersen
> My GnuPG KeyID: 4E724A60        My Public Key Available At: wwwkeys.pgp.net
> My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
> GnuPG available at http://www.gnupg.org 
>
> [ Attachment (application/pgp-signature): "F0M8544.A02" 232 bytes ] 

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBOeS7rnOxjn5XNuDtAQHliwMAlXotbBs5awZ8JMbPLyTF44k9TJ2Ngn21
H+fpYtrW1C0N/WlBOu9wLf8Xgw3eTaCPkGlgpDZ8NtB6JWE2JouRwcFbsXvqYiAa
1xSuoAwkgPQ3vQEGtSpZVOm4E6zQ516z
=peE8
-----END PGP SIGNATURE-----




More information about the LUG mailing list