On Wed, Aug 14, 2013 at 12:17:36PM +0200, Jan Eden wrote: > On Wed, Aug 14, 2013 at 10:06:59AM +0000, Henry Hertz Hobbit wrote: > > On 08/14/2013 08:33 AM, Johan Wevers wrote: > > > On 14-08-2013 5:36, Foo Bar wrote: > > > > > >> I would like to create a domain key, which can be used for all > > >> emails in a particular domain. For example, if the key is for > > >> "*@example.com", then sending to both "f...@example.com" and > > > "b...@example.com" > > >> would use this key. > > >> > > >> Is this possible with GPG? > > > > > > You can use each key for each mail, your sender address doesn't have to > > > be the address in the key. > > > > > > > I am not saying you are wrong because I don't know. But it does > > seem dangerous from a real world practical point of view. > > Should I really be able to send a message pretending to come > > from herrprofes...@monsters.edu when I am really just a visitor > > to the University being awarded an Honery degree? Part of that > > was being given a hhhob...@monsters.edu email account since > > all people granted a Ph.D. are also given an email account that > > they can use until they are dead unless they ask that it be > > closed down. > > I can always create a key for herrprofes...@monsters.edu and send > messages from this address signed with the key. But if I do not control > the domain (or at least a mailbox associated with the address), I will > never receive replies to my forged messages.
I see I am insufficiently devious. I was assuming that the message was signed with hhhobbit's key, not a forged key. Now there are two possibilities. If Herr Professor has no PGP key or has never used it, then the signature has no reputation and should be verified out-of-band. Otherwise, there are now two keys asserting that address and not linked by cross-signatures. Suspicious, verify out-of-band. It seems unduly risky. Traditional methods of forgery try to bury one identity under another, but forging PK certificates *asserts* a new identity. It feels to me like making too much noise -- it attracts attention just when and where the forger wants to *deflect* attention. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Machines should not be friendly. Machines should be obedient.
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
