[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful

On Mon, Aug 04, 2003 at 01:01:48PM -0700, Alan Connor wrote:
> Kirk Strauser:
> > In the same way, I could be Becky Smith using an alias.  Regardless
> > of my real identity, you know that any post with my signature was
> > written by *me*.
> That has no meaning to me. What if I were to just copy all of that garbage
> on your posts? Wouldn't people then think I was you?

Please do even the tiniest bit of research; the "garbage" is a
mathematical function of the content of the message, not a single static
object. This is a startlingly elementary mistake to make.

> > If you trust this representation, do you really care if there's an
> > exact correlation to a real-world identity?
> Don't trust it for one second. Don't believe that corporations and the 
> government can't decode PGP.

I rather doubt it, actually. At the very least, it would take a very
significant amount of computing horsepower per key that you wanted to
attack. I believe I'd have heard about it if there were significant
vulnerabilities in GPG's cipher algorithms (certainly if they were known
by corporations!), and brute-force attacks on 1024-bit keys will be far
from easy. In the real world, it would be far easier for a government to
use physical means to appropriate your key.

(I work for a cryptography company whom I won't name because I don't
want to imply that I'm speaking for them, but it wouldn't take too much
effort to find out if you cared.)

> *I* wouldn't even consider using PGP signatures.

As you've demonstrated, you don't even understand them, so whatever.


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: