Wednesday, August 6, 2008

Re: [BLUG] New GPG key

To elaborate, the web of trust provides authentication. If you get a pgp
encrypted email from someone you don't know, you also don't know that
the sender is who he or she claims to be. You can, however, check the
signatures on the sender's key and make a rather accurate guess how
honest the person is.

It's fine to trust the keys of people you know, but sometimes you can't
verify the key fingerprint over a secure channel beforehand. It's open
to a man-in-the-middle attack. But if a trusted third party signs the
key, you can be reasonably sure of the sender.

With distributed development, pgp becomes a necessity in order to
digitally sign things to authenticate the sender. For example, Debian
(and Ubuntu) packages are signed so you know they came from their
maintainer and not some shady other person who wants to install a
backdoor in your email server.

I offered to do a presentation for BLUG on asymmetric crypto and PGP/GPG
some time ago, and I think I need to get it ready sooner rather than
later. There's a lot of information to distill.

Michael Schultheiss wrote:
> Joe Auty wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> I don't mean to sound like a complete jerk, but what is the draw with
>> these key signing parties? Is it some sort of social thing? I only
>> really feel compelled to have keys for people that send me critical
>> information I might want to authorize and/or encrypt. For casual
>> correspondence like this list and most chatting, I guess I haven't
>> gotten caught up in collecting public keys.
>>
>> Am I missing the point here? Again, I don't mean to sound critical of
>> the practice, I'm honestly wondering if I'm missing some angle here...
>>
>
> The draw is expanding the web of trust. If you ever want to join a
> project like Debian that requires you already be in a specific web of
> trust, participating in key signing parties helps out.
>
> Key signing parties are more for the verification that Person X most
> likely controls key X and also has shown photo ID that matches the name
> on the key.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> BLUG mailing list
> BLUG@linuxfan.com
> http://mailman.cs.indiana.edu/mailman/listinfo/blug
>

_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)