[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

On Mon, 4 Aug 2003 10:41:37 -0700
Alan Connor <alanc@localhost> wrote:
> Funny. I know someone who has 2 of those PGP signatures things, neither
> of which use his real name or stats.
> He can prove that he is someone he isn't.

No, he can't.  That's not what a PGP signature is, does, or is for.

All a PGP signature on a piece of email (or any other document/file/
whatever) tells you is:

1.  That it's exceedingly likely that it was signed with a particular
	private key (and you can determine *which* private key, by
	comparing the signature to the public key generated by that
	private key);

2.  That it's exceedingly likely that the document hasn't been altered
	since it was signed.

A PGP signature does *not* tell you that whoever used the private key
to sign the message is really who they say they are.  If a public and
private key is apparently associated with a user named "Humpty T.
Dumpty," there's no guarantee that that person exists, or that that's
really the identity of the person holding that private key.  That's up
to the recipient to decide, through setting a confidence level to the
key.  However, keysigning, and the resulting so-called "web of trust,"
can make this easier.

You might want to read about PGP, and public key infrastructures, a bit



Chris Metzler			cmetzler@speakeasy.snip-me.net
		(remove "snip-me." to email)

"As a child I understood how to give; I have forgotten this grace since I
have become civilized." - Chief Luther Standing Bear

Attachment: pgpj0j4bEW6Av.pgp
Description: PGP signature

Reply to: