su. den 21. 02. 2016 klokka 16.38 (+0000) skreiv Pete Biggs: > > > This is not the way it's supposed to work. If I don't check the > > > public > > > key is trusted, why should I believe a message signed with it? > > > Simply > > > picking up the key with the message is tantamount to doing nothing. > > > I > > > must either know the key beforehand (i.e. I have it in my keyring) > > > or I > > > fetch it from a public server and check who vouches for it. > > > > > > poc > > > > That's what I thought too. Like my friend and I. We physically > > checked > > each other's fingerprints too. We know who we are and who the key > > belongs too. So of course we sign it and trust it. > > > Sorry, I've come a bit late to this bit of the conversation ... > > Signing a message does two things: > > 1) it verifies who the sender is and > > 2) verifies that the contents of the message haven't changed. > > In order to do both with any sort of veracity, you must know with > absolute certainty who the key that the message is signed with belongs > to. > > Merely adding a public key to the message does NOT enable you to do > this. > > Remember that ANYONE can generate a PGP public/private key pair in the > name of any person. So I can generate a key in Stig's name, write an > email spoofing his email address sign it and add the public key to the > email to "verify" the message ... would you accept it?? Even worse, I > could intercept a message between Stig and his friend, edit the plain > text, resign it with the bogus key and pass it on (with the public key > attached so it can be "verified"). > > No, you absolutely MUST NOT trust a public key attached to a message > unless it has been independently signed and verified by a 3rd party > *that you trust*. > > It is only through a web of trust created by signed keys that you can > be reasonably certain that new keys are correct; and similarly, you > must only sign keys that you know WITH ABSOLUTE CERTAINTY belong to the > person. I have been involved with CERT PGP key signing parties in the > past where the only valid form of identification is a passport and the > person must be physically present - but you do get a key that most > people trust! > > P.
Extremely useful information, a lesson to learn by heart. If not their passport (I know that in some cases it's the only valid ID), at least I have the habit of meeting people face to face, like people I really trust, before signing and trusting their key. I only encrypt to people I trust IF the message requires it. And I have other computers and emails for that too. But I also agree with Snowden. Sensitive, personal letters to friends, family, co-workers and the like, is a good habit. Tails/Tor, Signal for phone ... Strange times, and we should protect ourselves - if we know how to do it. There's good quality from people in here. I choose to listen, learn - and then make my own choices. Stig
signature.asc
Description: This is a digitally signed message part
_______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
