Re: PGP and verifying ids / emails

To: bam@snoopy.apana.org.au
Cc: debian-mentors@lists.debian.org
Subject: Re: PGP and verifying ids / emails
From: Manoj Srivastava <srivasta@debian.org>
Date: 30 Jul 1999 01:29:35 -0500
Message-id: <[🔎] 87iu72k5v4.fsf@glaurung.green-gryphon.com>
In-reply-to: Brian May's message of "Fri, 30 Jul 1999 12:11:00 +1000"
References: <[🔎] 19990728215149.F403D17FB@zaphod.dhis.org> <[🔎] 87oggwlz7c.fsf@glaurung.green-gryphon.com> <[🔎] 19990730121100.B20889@snoopy.apana.org.au>

Hi,
>>"Brian" == Brian May <bam@snoopy.apana.org.au> writes:

 Brian> You need to be sure that you are signing the *correct* public
 Brian> key, and not just any public key that happened to be created
 Brian> with "John Smith"'s id (which is publicly known).

        When I sign a key, I have am standing in front of John Smith,
 who has conviinced me it is indeed John Smith (using 2 picture
 ID's). He then asks me to sign a key -- I assume he is giving me a
 public key whose private key he has (what is the point otherwise?). 

        I do verify that the ID on the key matches the ID that was
 shown to me. 

 Brian> ie it is not much point a public key for "John Smith" if "John
 Brian> Smith" doesn't have the private key.

        Why is he asking me to sign it then?

 Brian> Somebody may have replaced a copy of the correct key with a
 Brian> "forged" key along the way.

        Without John Smith knowing? I hope no one is that incompetent.

 Brian> You (as the signer) needs some way to verify that "John Smith"
 Brian> really does have the private key before signing the public
 Brian> key.

        How does one do this? 

 Brian> Of course, I have never attended a key signing meeting, so I
 Brian> don't know how/if this checking is usually done. I think the
 Brian> usually way is to check the fingerprint of the key.  Come to
 Brian> think of it, I don't think anybody asked for my key
 Brian> fingerprint when I become a Debian maintainer...  (I may be
 Brian> mistaken though).


        This is quite confused. The fingerprint is of the public key
 (or else how do you check it? No one should be giving anyone a look
 at the private key at all).

        I think you are missing something. See, I meet John Smith. He
 shows me photo-ID. He gives me fingerporint of his *public* key. I
 download key from key server, and check the finger print. I check the
 ID matches the photo ID's I saw. I sign just that ID. Now tell me
 again, how short of forging two picture ID's, there is a flaw in
 this.

        manoj

-- 
 The meta-Turing test counts a thing as intelligent if it seeks to
 devise and apply Turing tests to objects of its own creation. Lew
 Mammel, Jr.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E

Reply to:

Follow-Ups:
- Re: PGP and verifying ids / emails
  - From: Brian May <bam@snoopy.apana.org.au>
- Re: PGP and verifying ids / emails
  - From: Joseph Carter <knghtbrd@debian.org>

References:
- Re: PGP and verifying ids / emails
  - From: Buddha Buck <bmbuck@zaphod.dhis.org>
- Re: PGP and verifying ids / emails
  - From: Manoj Srivastava <srivasta@debian.org>
- Re: PGP and verifying ids / emails
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Depends generated by maintainer scripts
Next by Date: Re: PGP and verifying ids / emails
Previous by thread: Re: PGP and verifying ids / emails
Next by thread: Re: PGP and verifying ids / emails
Index(es):
- Date
- Thread