[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Challenge-response mail filters considered harmful



Kirk Strauser wrote:
At 2003-08-04T20:01:48Z, Alan Connor writes:


That has no meaning to me. What if I were to just copy all of that garbage
on your posts? Wouldn't people then think I was you?


Not unless you can reverse-engineer the private key that I used to sign my
posts, and use that key to sign the forged messages.  Otherwise, it's a
broken signature that's brightly flagged by all email programs that support
PGP/GPG.


Just to explain a little further for the benefit of any intelligent bystanders who haven't yet learned about PGP, the top line of my email client on Kirk's message reads:

UNTRUSTED Good signature from W. Kirk Strauser <kirk@strauser.com>, Key Id 0x8D02A6F1

This tells me that my client has successfully verified that the signature matches the text of the message, and was made with the referenced key that I already have a copy of. UNTRUSTED means that I do not know that the key in question belongs to anybody particular, however, I can easily check that all the messages I have from "kirk@strauser.com" were signed with the same key.

Conversely, the messages that have suddenly started appearing with a From address of "alanc@localhost" (!) could have come from anyone, but moreover, they could quite easily have come from someone completely different from the alanconnor@earthlink.net that was spouting last week. The fact that they evidently come from a mail system that is *even more* screwed up than that from which the previous ones originated might lead me to suspect that they were from another person, if I could think of any reason why anyone would want to. (The obvious explanation is that someone is trying to discredit Alan Connor, but that hardly seems necessary).

Attachment: pgpWd5s6soH_m.pgp
Description: PGP signature


Reply to: