Re: Challenge-response mail filters considered harmful
On Mon, Aug 04, 2003 at 01:01:48PM -0700, Alan Connor wrote:
> Kirk Strauser:
> > In the same way, I could be Becky Smith using an alias. Regardless
> > of my real identity, you know that any post with my signature was
> > written by *me*.
> That has no meaning to me. What if I were to just copy all of that garbage
> on your posts? Wouldn't people then think I was you?
Please do even the tiniest bit of research; the "garbage" is a
mathematical function of the content of the message, not a single static
object. This is a startlingly elementary mistake to make.
> > If you trust this representation, do you really care if there's an
> > exact correlation to a real-world identity?
> Don't trust it for one second. Don't believe that corporations and the
> government can't decode PGP.
I rather doubt it, actually. At the very least, it would take a very
significant amount of computing horsepower per key that you wanted to
attack. I believe I'd have heard about it if there were significant
vulnerabilities in GPG's cipher algorithms (certainly if they were known
by corporations!), and brute-force attacks on 1024-bit keys will be far
from easy. In the real world, it would be far easier for a government to
use physical means to appropriate your key.
(I work for a cryptography company whom I won't name because I don't
want to imply that I'm speaking for them, but it wouldn't take too much
effort to find out if you cared.)
> *I* wouldn't even consider using PGP signatures.
As you've demonstrated, you don't even understand them, so whatever.
Colin Watson [firstname.lastname@example.org]