On Sat, 2015-02-28 at 18:39 +0100, Johan Wevers wrote: > OR, in case a key belongs to a well-known person, you've seen it > mentioned in enough places and seen it used to sign gpg packages to be > rather certain that if it were a forgery someone would have noticed by > now and made noise about it. I'm not sure but I fear you have some deep misunderstanding of cryptography... or at least that's how I understand your message (but maybe I confuse something).
"Well-known", "often seen enough" or "not having heard any noise about it" are absolutely no ways to prove the validity of a key's named identity. If there was only one "Werner Koch" on the keyservers, and that key was signed by thousands of other famous names (Linus Torvalds, and that like) you still couldn't be sure of anything. An attacker that MitMs you could just set up a fake web-of-trust in very little time and when you ask your favourite keyserver, block any of the "real answers" and instead deliver you his faked key space with all the mutual signatures and so on. And you'd think "Only one Werner Koch, with an @gnupg.org email, even signed by all these other people - that can't be coincidence, some of the must have checked his ID, and if it was an impostor, I'd surely have read on heise.de about it" - while in fact no one else than you ever saw these faked keys. If the attacker is powerful enough (and this is still way below of what intelligence agencies can do - rather the level of what your network provider can do), they can also intercept anything you'd send back to the web with these forged keys, so they'd truly be never discovered. Cheers, Chris. btw: These kinds of things are just what one can heise accuse of: they give people an all to easy sight of crypto security, so that they'll believe things are secure by using one's phone number, or by using pinning techniques like HPKP.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users