Hi nb.linux, * nb.linux <nb.li...@xandea.de> [29. Jan. 2014]: > Gregor Zattler: >> * Steve Jones <st...@secretvolcanobase.org> [24. Jan. 2014]: >>> Which reminds me that I'd really like an email client that >>> automatically signs keys at level 1 (persona) of anyone who replies >>> with a signed email that quotes a significant portion of the text I >>> sent, as this effectively counts as a challenge response protocol in my >>> book. >> >> That's an interesting idea. But there is still the possibility >> of a man in the middle attac... The web of trust is supposed to >> counter MITM attacks by signing keys only if the verification was >> done directly (no middle person). > > maybe you already discussed that, but what about sending someone an > encrypted email (with the challenge) and wait for an encrypted reply > with the signed challenge? (as you seem to talk only about sending a > clear text challenge)
This would not help against a MITM -Attack. I want to send you an email, email program fetches a key with uid nb.li...@xandea.de from the server, evil organisation intercepts this, sends me key with uid nb.li...@xandea.de, I send a challenge encrypted to this key, evil organisation decrypts it rencryts it to you key, sends it to you, you sign-reply to my encrypted challenge, evil organisation intercepts it... > Personally, I don't want such behaviour. When I'm making a > certification, then it's me doing it manually as I have the > responsibility. I don't want some program to be able to make automatized > certifications with my key. me too. Ciao; Gregor _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users