Re: PGP and verifying ids / emails
Hi,
>>"Buddha" == Buddha Buck <bmbuck@zaphod.dhis.org> writes:
Buddha> I have the ability to generate the fingerprint on any key that I have
Buddha> available to me. Therefore, if I had a public key created and signed
Buddha> by "John Smith", I could in fact generate the fingerprint for that key.
Buddha> By meeting you in person, presenting myself as "John Smith", showing
Buddha> (forged) credentials to that effect, and giving you "John Smith"'s
Buddha> fingerprint, you would be willing to sign "John Smith"'s key?
If you indeed have two picture id's that prove you are bill
gates, or john smith, or whoever, and the key ID matches the picture
ID, then yes, you would have my signature.
This is the weakness of the PKI -- and witha decent forgery,
you can indeed violate the web of trust. The point? We are willing to
accept the fact that there is a risk that a decent makeup artist +
forgerer could indeed penetrate security here.
Buddha> It seems that there is a missing step -- verification that I
Buddha> know "John Smith"'s private key. Without that, you are
How can you know someone's private key? (A nit: In any case,
you don't sign a private key -- you sign a public key).
Buddha> trusting me that I am the person associated with that key.
Buddha> With it, I have proven that I am the keyholder.
I would not sign a key unless the ID field in the key matched
the physical ID that I saw. And you matched the pictures on the ID. I
assume that implicitly when I see a signature on a pgp key.
manoj
--
Ryan's Law: Make three correct guesses consecutively and you will
establish yourself as an expert.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: