Re: My NEW gpg key, again.

To: Manoj Srivastava <srivasta@debian.org>
Subject: Re: My NEW gpg key, again.
From: Ola Lundqvist <olalu526@student.liu.se>
Date: Tue, 7 Nov 2000 13:57:56 +0100
Message-id: <[🔎] 20001107135756.B30604@diamond.opal.dhs.org>
Reply-to: olalu526@student.liu.se
In-reply-to: <1237-Tue07Nov2000032348-0600-srivasta@acm.org>; from srivasta@debian.org on Tue, Nov 07, 2000 at 03:23:48AM -0600
References: <878zqzypx0.fsf@dt-jtlaptop.datatrans> <878zqy2a1j.fsf@bittersweet.intra> <87u29myip8.fsf@dt-jtlaptop.datatrans> <878zqyxvc6.fsf@bittersweet.intra> <20001106095334.A31637@worldvisions.ca> <35-Mon06Nov2000202207-0600-srivasta@acm.org> <20001106191343.A12303@worldvisions.ca> <9172-Mon06Nov2000224204-0600-srivasta@acm.org> <20001106234239.A19093@worldvisions.ca> <1237-Tue07Nov2000032348-0600-srivasta@acm.org>

On Tue, Nov 07, 2000 at 03:23:48AM -0600, Manoj Srivastava wrote:
> >>"Avery" == Avery Pennarun <apenwarr@worldvisions.ca> writes:
>  Avery> Please explain to me why I'm wrong, rather than snipping my
>  Avery> "novice level" errors.
> 
> 	Two words. Identity theft. (incidentally, I said your tutorial
>  was a novice level one, and did not say there were errors)
> 
> 	You are assuming no one can ever steal a secret key and
>  passphrase (a bad assumption, given how lax people are with
Yes a bad assumption. You can only hope that people handle the identity key
better than simple account keys.

>  keys. Now, I steal your key and pass phrase (people actually typed in
>  pass phrases in the open on the convention room floor at ALS!!!). I
That is _very_ bad.

>  then generate a) a revocation certificate for the old key, and b) a new
>  key. c) I sign the new key with the old one (with your much vaunted
>  personal signature). d) from the new id on the new key, I send around
>  email, signed by old key, asking gullible people to sign my key. 

But if someone have stolen youre key and passprase, why generate a new one?
If that someone just uses it so one woluld even suspect something...

If I have your secret key _and_ the passprase, Viola I'm you.

If you can not trust the secret key _and_ the passphrase you can not trust
anything more (or even that) than eye_to_eye contact and the people you know
in person.

> 	Much to my surprise, people seem to have no probkems doing
>  so. Now I upload the revocation cert to public keyservers, and
>  perhaps announce the old key is dead. Viola, I am you; and my new key
>  is even signed by you.

The only difference is that if I make a new key and revoke the other I'll
be verified more and If I succeded you can not revoke mine.

It is not a big surprise that peoples have problems doing so because they trust
in what they can trust, the secret key and passphrase.

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  olalu526@student.liu.se             Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  ordforande@lysator.liu.se           +46 (0)13-17 69 83       |
|  ola.lundqvist@euronetics.se         +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Ohh sorry.
  - From: Ola Lundqvist <olalu526@student.liu.se>

Prev by Date: Re: Request to adopt: radiusd-livingston
Next by Date: Ohh sorry.
Previous by thread: ITA: jed
Next by thread: Ohh sorry.
Index(es):
- Date
- Thread