[lug] Public Key Signings

Michael J. Pedersen marvin at keepthetouch.org
Wed Oct 11 14:14:58 MDT 2000


On Wed, Oct 11, 2000 at 01:14:09PM -0600, Neal McBurnett wrote:
> You've talked of a driver's license.  But that only verifies someone's
> name.  For proper security, you should only sign an email address on a
> key if you have verified the email address also.  People can claim any
> email address they like on a key.  Suppose you were to sign my key
> with an email address of <nealmcb at whitehouse.gov>.  Subsequently, when
> you get email in which I forge that as the From: address (also trivial
> to do), GPG would assure you that it was my signature, as verified by
> you.  Then you (or other people that trust your signature) might
> mistakenly conclude the email really was from someone at the
> White House.

That's true. However, I'm not attempting to tie people to email addresses. I'm
attempting to tie people to keys.

This might sound wrong, and insecure, but it's not. Afer all, with current
code, you can edit your keys at any time to change your email address. I sign
your public key, and then you change it to be the forged email address. It's
still broken.

s it a security risk? Yes. But one that has to be overcome with either social
engineering, or with different tools. It's not one that can be overcome with
any amount of effort on the part of the keysigner.

> Has anyone ever discussed some sort of Netscape plug-in for
> GPG (or PGP)?  That is what my wife currently uses....

To the best of my knowledge, no. However, you can use identical instructions
from my crypto howto (for instance, Windows Outlook/GNUPG), to make gnupg work
with Netscape.

-- 
Michael J. Pedersen
My GnuPG KeyID: 4E724A60        My Public Key Available At: wwwkeys.pgp.net
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
GnuPG available at http://www.gnupg.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20001011/35ed8a3c/attachment.pgp>


More information about the LUG mailing list