[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

On Mon, Aug 04, 2003 at 10:41:37AM -0700, Alan Connor wrote:
> Funny. I know someone who has 2 of those PGP signatures things, neither of
> which use his real name or stats.
> He can prove that he is someone he isn't.

The GPG signature on this mail does not prove that I am Colin Watson. It
proves that I'm in possession of the same key that signed all other
messages signed by the same key, but that's about it.

If you download my key, key ID 10FA4CD1, and do 'gpg --list-sigs
10fa4cd1', however, you'll see the list of other people (strictly, their
keys; you'd have to download their keys in turn to see the names) who
have met me, verified my identity, and are willing to say that I am who
I say I am. People who can find the key of people they know and trust
there have evidence that I'm Colin Watson. Also, the keys of all Debian
developers - and only Debian developers - are available from
keyring.debian.org, so having the key is enough identification to allow
me to upload packages.

The GPG web of trust among Debian developers is one of the strongest in
the world, since we make so much use of it for the project's security.
For proof, see the global stats at
and match up the keys against our keyring. This is a useful defence
against people sneaking into the project under false identities; it's
not watertight, and it's possible it's been broken, but it's a lot
harder than it would be otherwise.

> This fellow isn't even a particularly skilled hacker.

Well, you certainly haven't mentioned anything that he's done that
requires the remotest skill. Here's how to do it: 'gpg --gen-key'.
Getting the key signed by someone I trust would be a more impressive
trick, as he'd have to be a skilled *social* hacker to do that.


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: