On 1/2/2011 11:04 AM, takethe...@gmx.de wrote: > And thankfully David Shaw answerd: > >>> By default, yes. You can override this, >>> but it is not a good idea. > > Thus the answer to the question, whether one needs to check whether the key > is self-signed is conneced with the word "override". What did he mean with > that? Changing the source code of my version of gnuPG on my hard disk and > recompiling or changing some sort of configuration file on my hard disk?
gpg provides many options for backward compatibility and interoperability with other OpenPGP implementations. I'm presuming David is talking about this: <snip from 'man gpg'> -allow-non-selfsigned-uid Allow the import of keys with user IDs which are not self-signed. This is only allows the import - key validation will fail and you have to check the validity of the key my other means. This hack is needed for some German keys generated with pgp 2.6.3in. You should really avoid using it, because OpenPGP has better mechanics to do separate signing and encryption keys. </snip> > If that's the case, then I don't need to advise people to check whether a key > is self-signed, because an attacker needes access to my hard disk to override > the self-sign-check. But if he already has access to my hard disk, he can as > well to worse things like installing a keylogger or something. Thus in this > case I'm beaten already, isn't that so? > As you've said, I'm not sure how plausible it is to worry about that attack scenario. If someone is in a position gto modify your gpg.conf, there are much easier ways to attack you than modifying that setting and tricking you into loading an non-self-signed key years later. > > EXPLANATION > The fingerprint is a hash value of the public master signing key only, NOT of > the public subordinate encryption key. Only if that public subordinate > encryption key is self-signed, I can be sure the owner of the private key > wanted it to belong to his public key. Otherwise it might have been placed > there by an attacker. > That's technically correct-- the best kind of correct. If I were writing an introduction to OpenPGP, I'd focus on the purpose of the fingerprint, and not the implementation details of keys and subkeys and signing, and all that. A fingerprint: 1) Allows you to verify that the key you have is the one you think you have, and it hasn't been forged or modified. 2) Is only useful if obtained via an out-of-band channel, such as meeting in person or over the phone. If someone can forge one email, they can forge another. Same with webpages or keyservers. 3) Only authenticates the key itself. It doesn't do anything to authenticate the user. It doesn't prove that jack_ba...@ctu.gov is who he says he is. That's up to you. -- Grant "Can you construct some sort of rudimentary lathe?" _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users