Re: Including public key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Saturday 30 July 2011 at 3:22:12 AM, in , Jay Litwyn wrote: >>> although it would be tricky to fake photo-id >>> production on skype. Photo-id doesn't make very good >>> single frames, but change the angle on television and >>> those chrome things flicker and move... > MFPA wrote: >> OK, use a TV projector and point your webcam at the >> screen. > I do not hav a webcam, and I do not know why you want > me to create feedback. I thought you mentioned using skype for photo-id production and commented about television pictures flickering and moving, depending on angle. My response was to suggest a way the television picture could be used that had no such limitation. Pointing the webcam at a projected TV image instead of at the person using the computer wouldn't create feedback, as far as I know. >> "Mallory" could make recordings of your voice and use >> them to create such a file and sign it with their fake >> key. > Not if she wants any coherence in the tune; not that > there is a lot, mind you: It was straight a-cappella. When I played the file, I was checking what you said rather than how you said it, unaware there would be a tune to listen for. I'm sure somebody with a little skill in audio editing, and a better ear for pitch than I have, could adjust the speed and pitch of each sound to produce a passable end result. > All you can ever do is make a man in the middle attack > harder. Fair enough. > Live conversation makes it harder. Do you mean just real-life face-to-face, or do you include telephones and/or videoconferencing? > The picture of a thumb in PGP bugs me. Yes, giving up finger/thumbprints is linked in my mind to interrogation and incarceration, not to privacy. > PGP also > features a list of words, instead of hexadecimal. It > calls *that* a biometric print; not unless you voice it > somewhere, and it won't work with GPG, which would need > the same dictionary. The word list is there as an additional option to use in PGP, which also uses hexadecimal (or did when I used PGP 8.x). I fail to see how the word "biometric" applies, except as an extension of the metaphor about key digests being fingerprints. The word list is an alternative way of expressing the same information, and the word "biometric" is (loosely) an alternative word for "fingerprint." The word-list might present issues for non-English-speakers, as discussed a decade ago in the thread at http://lists.gnupg.org/pipermail/gnupg-devel/2001-March/017007.html > My > library also had a reverse directory for Edmonton. Reverse directory information is available here only for law enforcement purposes (which is interpreted far too loosely). > They required my social security number. Nobody is > perfect. I am nobody. Therefore, I am perfect. Why > would anyone go to such lengths to impersonate me > electronically? No idea, but anybody asking for my national insurance number would be told to take a hike, unless they needed it to process payroll deductions, pensions, or benefits. They have no other legitimate use for it. - -- Best regards MFPAmailto:expires2...@ymail.com The truth is rarely pure and never simple -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJONETPnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pZhQD/0PI fVXGWHezqfMNbML6ympxZGb5s70gjxyVoHZcSeQxyYe+nZ3auQTQ7tnVtrKktVP+ mnj/rqPwQjWz7D3e1hPdlnRE38WfCXhuQP3B6Pj5J9euU17cPkFUZK2uQEvkNY4p YhdC3ie4lZCIyoajdrXDpi52N2MyJK656FxK9+Mc =48n6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- On 2011-07-29 6:03 PM, MFPA wrote: > Hi > > > On Thursday 28 July 2011 at 4:22:52 PM, in > , Jay Litwyn wrote: > > >> Do not sign my photo until you see me in person, > > OK, fair enough. If the key has WoT signatures from people I trust > to have such a policy. But in the case of the OP's key with only > self-signatures, the inclusion of a photo would do nothing to > reassure me. I was just looking at the pgp global directory signing key (the machine that signed my key). About twenty revokation certificates are on it, including p...@mit.edu >> although it would be tricky to fake photo-id production on skype. >> Photo-id doesn't make very good single frames, but change the angle >> on television and those chrome things flicker and move... > > OK, use a TV projector and point your webcam at the screen. I do not hav a webcam, and I do not know why you want me to create feedback. >>> A phone number would only help if the person ringing it knew you >>> well enough to recognise your voice on the phone. Even then, >>> somebody could record your voice and use it create an >>> answerphone message... > >> That is what a signed mp3 in my comment is about, > > Signed with the key, and somebody who knows you could recognise your > voice if they play the file. Arguably, "Mallory" could make > recordings of your voice and use them to create such a file and sign > it with their fake key. Not if she wants any coherence in the tune; not that there is a lot, mind you: It was straight a-cappella. All you can ever do is make a man in the middle attack harder. Live conversation makes it harder. > >> and just in case you do not follow links in message source >> [comments] very often... > > Like almost never. (-; > > >> http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp (I will >> never call it a thumbprint or a fingerprint; key hash) > > Why not? Using the standard term of "Fingerprint" rather than > "Keyprint_Biometric" might lead more people to understand what the > file was likely to be. The picture of a thumb in PGP bugs me. PGP also features a list of words, instead of hexadecimal. It calls *that* a biometric print; not unless you voice it somewhere, and it won't work with GPG, which would need the same dictionary. >> Additionally, you can do a reverse lookup on my phone number > > I could possibly pay somebody with law enforcement connections to do > that. A link is from my phone number on my web site: http://ecn.ab.ca/~brewhaha/ to my snail address if you want. In 1990, if I wanted to do a reverse lookup, I could go to the library. There they had about nine square metres dedicated to phone books in North America (I think that's where they drew the line, anyway). My library also had a reverse directory for Edmonton. By 1996, they were doing the same thing with a computer and disks; much less space, many more search options. Today, I do not hav to go anywhere, my white pages are useless for looking up businesses, and reverse lookup (for this country) iz at: http://www.canada411.ca/ (under other search options) >> and at least see if I am lying about my given and family names, >> according to a corporation that my library used to verify my >> identity. > > Assuming the phone is billed to you personally, and that you gave > your real name when setting up the service. They required my social security number. Nobody is perfect. I am nobody. Therefore, I am perfect. Why would anyone go to such lengths to impersonate me electronically? > I once had a library check on my phone number, by getting out the > phone book and finding my surname and address and comparing the > number listed to the one I gave them. (That was when I was in my > teens and lived with my parents, so the initial would not have > matched my first name.) > > > >> My bottom line is that photos and phone numbers do not hurt. > > Depends on the user's privacy requirements and threat model. "Enerjize", said Kirk, then a pink drummer bunny appeared. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTjNqyx47apzXdID2AQGDHwP/Uw+KB6+65nB97iWBgKNAKKS7Fzk5JJ7T PRT5UMShSI+dVOjCSUdxBuiHKVicj6tG+z+vvxbYX01hhX+YZEAZrY15Km0iJ1/0 Qs4SQf1EdvmxASiJoeufy3+KnjlW9fhaXZWi81GQv62fgXZp+4XeQc5A229noWQe 7WT2QNg2Qbw= =Zmq1 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 28 July 2011 at 7:15:16 PM, in , Jay Litwyn wrote: > That's why "void" appears in my public key. Neither PGP > 10, nor gpg were going to allow me to leave my given > and family names blank; separate, and yet _linked_ > elements of identification. GnuPG allows this; I think you need to use --expert and maybe - --allow-freeform-uid. - -- Best regards MFPAmailto:expires2...@ymail.com It's better to feed one cat than many mice -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJOM071nhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pFSUD/iSV 2KLH7UVAt7mVX9hL+HyYO7FieYW5vLiDHReKA2SYX07J/3t2pT1h+8ODamd7zX5A QMJh/0nKpPxHeLPJ//V2YekAI9Ik8Qi/kC812BW+XJLZUYN5zBJ+pqsca2K+1ReM bGJiZeUkySNSdzZqjIyG5UALhJuiV/Bg6ZQsYUa+ =zfu2 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 28 July 2011 at 4:22:52 PM, in , Jay Litwyn wrote: > Do not sign my photo until you see me in person, OK, fair enough. If the key has WoT signatures from people I trust to have such a policy. But in the case of the OP's key with only self-signatures, the inclusion of a photo would do nothing to reassure me. > although it would be tricky to fake photo-id production > on skype. Photo-id doesn't make very good single > frames, but change the angle on television and those > chrome things flicker and move... OK, use a TV projector and point your webcam at the screen. >> A phone number would only help if the person ringing >> it knew you well enough to recognise your voice on the >> phone. Even then, somebody could record your voice >> and use it create an answerphone message... > That is what a signed mp3 in my comment is about, Signed with the key, and somebody who knows you could recognise your voice if they play the file. Arguably, "Mallory" could make recordings of your voice and use them to create such a file and sign it with their fake key. > and > just in case you do not follow links in message source > [comments] very often... Like almost never. (-; > http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp > (I will never call it a thumbprint or a fingerprint; key hash) Why not? Using the standard term of "Fingerprint" rather than "Keyprint_Biometric" might lead more people to understand what the file was likely to be. > Additionally, you can do a reverse lookup on my phone > number I could possibly pay somebody with law enforcement connections to do that. > and at least see if I am lying about my given > and family names, according to a corporation that my > library used to verify my identity. Assuming the phone is billed to you personally, and that you gave your real name when setting up the service. I once had a library check on my phone number, by getting out the phone book and finding my surname and address and comparing the number listed to the one I gave them. (That was when I was in my teens and lived with my parents, so the initial would not have matched my first name.) > My bottom line is that photos and phone numbers do not > hurt. Depends on the user's privacy requirements and threat model. - -- Best regards MFPAmailto:expires2...@ymail.com He's an environmentalist - his arguments are 100% recycled -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJOM0o/nhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pu50D/j7h o87GES62xpCEYIwqyIMQiiANBXTJg3CLJgwGE6isOxy4mTXMgKqU3l1iESjbe+nk ChsCse1Rs2QaNHOR2lJLzNotfhNRA88Cc5xgM8CK5eh8xSCwLv4012vRctjIHRGm 96EW2xxy/s09rcN+17nzNHbqshbDt05BZEvX5r8S =4Ad6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On 7/28/11 3:46 PM, Peter Lebbing wrote: > Please communicate in a way where I don't have to > read every other sentence twice to get what you are trying to tell us. I wunder if iu've red the "Plan for xe Impruvment of Ingliy Speling," popyularly atributed to Mark Twain? http://everything2.com/title/A+Plan+for+the+Improvement+of+English+Spelling (In all seriousness, I share in your general concern: but I'm of the opinion a small bit of good humor is always on-topic.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- On 2011-07-28 10:08 AM, Melvin Carvalho wrote: (...) >> It's quite a new system, but supported by the W3C and on it's way >> to becoming a standard. For more info see the video at: >> http://webid.info/ (...) paypal and your bank are unlikely subscribers to this potential standard. You will notice that neither one allows your browzer to store a password for them. They also time out; expire logins. That's how concerned they are with authenticity; not even someone else from your home. I do not really see how an open login system can *increase* security. However much you use the math, if you are effectively logged into all of the servers you ever used at once, then the openness of your computer (say if it is on, and you head out for soda without logging out) is an authenticity threat. You do not want to explain someone else's actions to admins on wikipedia: You will be lucky if they believe you. ___ I found JESUS! He was in my trunk when I got back from Tijuana. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTjHF1x47apzXdID2AQEUNwP/f7/Gwidil0/kuJ+lX4Bc2U9KJe010M+Z NOCWsanisa0D0lzkjZOslnN5t4+UQ+g075RXXpQEQBA/asPhk9gFRiXvn6uA9mRs vTAWWd0xTdHWrR0/hJSyQo7pWqBbREG+n6sDLONh/7qbgbTNXZqjNUvWdAAvuKP9 x+cViAeOWNI= =96R6 -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On 28/07/11 20:15, Jay Litwyn wrote: > In my case, that iz likely, because I yuuz only screen names on USENET. yuuz? That's where I draw the line. This mailing list is for communication, not showing your "1337 skillz". So please communicate in a way where I don't have to read every other sentence twice to get what you are trying to tell us. Peter. PS: At first I wondered if you had an interesting variant of dyslexia :). Perhaps quite the opposite of your intention. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- On 2011-07-28 10:08 AM, Melvin Carvalho wrote: > On 28 July 2011 16:01, MFPA wrote: Hi > > > On Thursday 28 July 2011 at 12:53:41 PM, in > , Jay Litwyn wrote: > Attaching a photo to your public key might help. So might putting a phone number on your public key. > > I'm not too convinced a photo would help much. I could create a key > and include a photo obtained from the internet... > > A phone number would only help if the person ringing it knew you > well enough to recognise your voice on the phone. Even then, somebody > could record your voice and use it create an answerphone message... > >> It's now possible to put a photo, phone number etc on your home >> page, and also put your public key there. > >> That's what I do. For this I use my OpenPGP key together with some >> HTML5. The only reason I am not using HTML5, yet, iz because it requires knowing CSS to set link, vlink, and alink colours. What you are talking about only requires HTML 3.2 (which haz been a standard for ten years, and even now there is a portion of internet traffic from I.E.6.), which supports colour in body tags, while HTML5 does not; yet another "standard" that is not backward compatible. Not recognizing a public key from "stamper" is being not backward compatible. A signed photo means a *bit more* than photos on facebook. A signed phone number means a *bit more* than a link to your phone company. That is especially true when three identifiers are linked to the same key, separately, so that you don't need to know all four (voice, name, face, and e-mail address), and so that you can let other people confirm only what they've experienced, az in perhaps they should not feel qualified to sign my given and family names, yet they're confident of my e-mail address. In my case, that iz likely, because I yuuz only screen names on USENET. The bit more is potential for privacy, and insulation against "identity theft". Someone could simply copy your web site and change a few things to steal your identity, at least until you found out and complained to their ISP. That's why "void" appears in my public key. Neither PGP 10, nor gpg were going to allow me to leave my given and family names blank; separate, and yet _linked_ elements of identification. > >> It's quite a new system, but supported by the W3C and on it's way >> to becoming a standard. For more info see the video at: >> http://webid.info/ Like I said, it is more authentic and therefore more useful when pieces of your identity are linked in dijital signatures. It would be a bit tricky to do that with HTML. You could do it with PDF, because there iz a standard for signatures (and probably compound signatures) on PDF. There isn't one for HTML, AFAIK, that doesn't require s/mime or some complicated and little-used piece of HTTPS or HTTPD. ___ Line for Darth Vader in Star Wars to sanitize: "(Exhale, Inhale) Luke, you are my bastard!" -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTjGnFR47apzXdID2AQEoCwP9EVxC4OeoqZ4wIQvKHwMRezh8ytLQYEo9 pTfbjuE3zwqzge+Aj9U2OjgKSfWq3GFYmQ59QBMNUtaGT2pVP1n3RIFsuYEr+1XY cem6oL0cyMT8X0e198J7sy9bC//TD8NaEkPOW5p1D8YzeFuKOSc2LeHuyCjnU4Ox I+9YK8TtA2s= =q4aO -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On 28 July 2011 16:01, MFPA wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi > > > On Thursday 28 July 2011 at 12:53:41 PM, in > , Jay Litwyn wrote: > >> Attaching a photo to your public key might >> help. So might putting a phone number on your public >> key. > > I'm not too convinced a photo would help much. I could create > a key and include a photo obtained from the internet... > > A phone number would only help if the person ringing it knew you well > enough to recognise your voice on the phone. Even then, somebody could > record your voice and use it create an answerphone message... It's now possible to put a photo, phone number etc on your home page, and also put your public key there. That's what I do. For this I use my OpenPGP key together with some HTML5. It's quite a new system, but supported by the W3C and on it's way to becoming a standard. For more info see the video at: http://webid.info/ > > - -- > Best regards > > MFPA mailto:expires2...@ymail.com > > A nod is as good as a wink to a blind bat! > -BEGIN PGP SIGNATURE- > > iQE7BAEBCgClBQJOMWvKnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf > a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC > OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB > MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pxMoEAJC2 > t7Ylu9/3rT4ouuvPwD6xG4BG/UoCIAHyBwVf343b946PKbNByD1NIjZjknnzZKkK > ER9ajFAxbx7LrT/0Eea1HQ04i74YOFMKnxgbHQ2avBulLWus8pjgEVZcBmEs+sQA > /1cavrpZtfnqprJ7kyOdUcNmBUJ8oE90DE9TO3So > =Rnur > -END PGP SIGNATURE- > > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- On 2011-07-28 8:01 AM, MFPA wrote: > Hi > > > On Thursday 28 July 2011 at 12:53:41 PM, in > , Jay Litwyn wrote: > >> Attaching a photo to your public key might help. So might putting >> a phone number on your public key. > > I'm not too convinced a photo would help much. I could create a key > and include a photo obtained from the internet... Do not sign my photo until you see me in person, although it would be tricky to fake photo-id production on skype. Photo-id doesn't make very good single frames, but change the angle on television and those chrome things flicker and move... > A phone number would only help if the person ringing it knew you well > enough to recognise your voice on the phone. Even then, somebody > could record your voice and use it create an answerphone message... That is what a signed mp3 in my comment is about, and just in case you do not follow links in message source [comments] very often... http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp (I will never call it a thumbprint or a fingerprint; key hash) Kleopatra won't handle that file...says no data, and gpg will handle it on a command line, making an mp3 out of it. Additionally, you can do a reverse lookup on my phone number and at least see if I am lying about my given and family names, according to a corporation that my library used to verify my identity. My bottom line is that photos and phone numbers do not hurt. ___ Quantum Mechanics do it on fields and in time. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTjF+yR47apzXdID2AQFtwAP+Lqb7pQJzmkX8rS+vE6zR0VzEZGAFfhre fIC8Y87nms0oZqm3R/524et8uofveIi87qvVZZ+zdY64oku/bgqqnM0kQQhKUHEj pjMwuNE6APiOsNRDiDeEEgx5OPZSk+/THVlKI0JPOAvjEuv/ThAT9aQMm/RBrlyG e2xgTNyjM18= =2bpK -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi On Thursday 28 July 2011 at 12:53:41 PM, in , Jay Litwyn wrote: > Attaching a photo to your public key might > help. So might putting a phone number on your public > key. I'm not too convinced a photo would help much. I could create a key and include a photo obtained from the internet... A phone number would only help if the person ringing it knew you well enough to recognise your voice on the phone. Even then, somebody could record your voice and use it create an answerphone message... - -- Best regards MFPAmailto:expires2...@ymail.com A nod is as good as a wink to a blind bat! -BEGIN PGP SIGNATURE- iQE7BAEBCgClBQJOMWvKnhSAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pxMoEAJC2 t7Ylu9/3rT4ouuvPwD6xG4BG/UoCIAHyBwVf343b946PKbNByD1NIjZjknnzZKkK ER9ajFAxbx7LrT/0Eea1HQ04i74YOFMKnxgbHQ2avBulLWus8pjgEVZcBmEs+sQA /1cavrpZtfnqprJ7kyOdUcNmBUJ8oE90DE9TO3So =Rnur -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
-BEGIN PGP SIGNED MESSAGE- On 2011-07-27 8:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as > below? > It depends on the environment of your receiver. Would they be subject to seeing your signature replaced? Do any policies concern the use of cryptography at their workplace or domicile, say in jail or in a country where Blackberry crypto is an issue (India, if I remember correctly)? Do they live in a country that accepted U.S. export restrictions on cryptography (probably Russia)? Is your recipient a public figure (about whom there might be motivation to pull a Murdoch) or an ex convict (about whom there might still be search warrants)? In any of the rejions where cryptography is controlled, it is a better idea (than simply sending a public key with no signatures on it other than yours) to be creative with the hash on your public key; perhaps telephone verification, perhaps you can personally meet someone on the web of trust. While the Physics of public key cryptography are air tight, it depends on signatures on your public key to become robust in the real world. I suspect that you are more likely to get those if you release your key on servers, and sign a lot of stuff that people consider important. Attaching a photo to your public key might help. So might putting a phone number on your public key. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTjFNvx47apzXdID2AQEWCQQAkWqfrRfQYixNinxHY96rEawOrCcsRcHF aQDSq0knmwOXRggiQFLkb4iixFKV49hnbfbseDVHRv5cefdldJFuyetGhCruINQj yPesb3cNkyvnCBD8yN4YPkmPfGnDu+9EEaYyRqUSUu18S9q944Gm/m6t2q8LlLXh 9ogBDYNJfio= =FbUF -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On Thu, 28 Jul 2011 08:29, k...@grant-olson.net said: > attacker could have forged both. They could in other circumstances as > well, but it's less likely for someone to forge both a public key on the > keyservers (or your personal website, or your business card, etc), and a > signature on a forged email. They need to compromise two lines of defense. Why? Sending a key to a keyserver is cheap. The validity of the key needs to be established by different means; for example using the WoT. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On 7/27/2011 10:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as below? > Unless you're trying to keep your key 'off the grid' I'd just send the key to the keyservers. Then people who use OpenPGP will retrieve the key based on your email's signature. People who don't care will just ignore your sig, which will be smaller than your full public key. If you are trying to keep the key 'off the grid' then you don't want to include it as a generic signature either. In general, it's best to get the key from a different source than your signed email. If your signature and key are in the same email, an attacker could have forged both. They could in other circumstances as well, but it's less likely for someone to forge both a public key on the keyservers (or your personal website, or your business card, etc), and a signature on a forged email. They need to compromise two lines of defense. -- Grant signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On Jul 27, 2011, at 10:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as below? It depends on what you're trying to accomplish. In my experience, it's generally felt to be somewhat impolite (just as any 32+ line .sig file would be), especially when a simple link to the keyserver is so easy to include. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Including public key
On 7/27/11 10:25 PM, Len Cooley wrote: > Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to > attach your public key as a sig at the end of an email, such as below? As with most things in life, "it depends." There are almost certainly environments in which doing so makes a lot of sense. Competing standards, such as S/MIME, do something similar to this as a matter of course, so it's not entirely whacked-out. That said, in the OpenPGP community usage like this seems pretty rare. Most people are happy to just use the certificate servers. :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Including public key
Well, let me ask you this. Is it useful/useless/ridiculous/orwhat to attach your public key as a sig at the end of an email, such as below? -- My GPG public key -BEGIN PGP PUBLIC KEY BLOCK- Version: SKS 1.1.0 mQGiBEZ7KUMRBAD1FiEDDKjhdIc/VL3DloRPC4x89KPm2HttDMhoUexNIa99rMLq1H3bKFUS WCd03ej14PsemcMwMszHZ7Dy5eS8vtP89kXPD7vsPeyIQz2+OaENGZYwh6VTTHR+61LmQAAE asfnbJ9Ny3yniJ8uUJ7m7hmjTANAvY8RS/Nr2o1dvwCg/5UXvPg09F+Qg84ukJfLYI7KCK8E APUE8b/ITc2fyK9euQbXEbfk9vl4Pz4aLqYJvRQim5LUPN/mHSKsQOVYl6Wsmp1G7bpaFnyd f1dSGC+eOK4MmonQEGh5HvTj/iC7OqGAVxR8MJoEQUIQgk0BB6RdkIf325UXpTtY2Aq0BIh4 c10VhsQahvUk0u1b+Ai5tB4+v6Z3BACI1OlF6TzeTvehJDtLp9Zz168kn3KTOfLJ0k5ffntZ PElQiAl+mACccOM6dHwPnclinPmPnhuAfkYYOoNlswMjxBp7Dj3AvTJy9DumO2nTr+RvAR9u zm6QkWX7A+jEI1QruEyO/nz+N8dNsPNNONQDtnfYN0LuiS6LOpMXKZJD8LQhTGVuIENvb2xl eSA8bGVuLmNvb2xleUBnbWFpbC5jb20+iFMEEBECABMFAkZ7KUMJCwkKCAIHAwEEAhkBAAoJ EBcuZqdoD95WA9kAoPvH0xzj2uFHRuFgbto+rPSsiX3mAJwIWJ5OhI3yWFkJa9FTw9ffdvdn oIhZBBARAgAZCQsJCggCBwMBBAIZAQUCTG7oogUJB9Ty3wAKCRAXLmanaA/eVjJwAJ44Sbe/ 3FBKYJV8eQyFD2gDusdE0ACdEafn7CGk8dm1NpJOuQ/XYVH1Duu5Ao0ERnspZhAKAPDz7Dsw idh44I1nAvx+9q45XGSExme9N1nixJHwZ4vmMQaAi3HmAvyqcdaFawqygzr0SOUq+T2Jg2FE tCIWOpflyRP9neOmQ/GLm9DGLHGm7lI/OnUpv5iVVQDLhit8sD9jJbV8oLPkwF+sMyEjYidR P8itjDfTB6TCSsKCDZ4enxQ+ItPkPSPKekZsrg2Gz2DY2WeHngT3pFhyVtGCS5VybUkhgDsh vwi/mzDDc4o/qPNZUhXPmMiqqAUxvxejrWO/W2W2s7n2BOl89DacWHgUm00TxGV+lwTiVmqw s0teO/qBcOlU/WcsCRc/YcAwl5TjbQzvlCCr297O1myyXnh9mEVQzJMSu2fek2i1B6BExKWs P4aYtI82122DQIhAuLJMVo/bmiRlWtNiDPK4oEbbVj6gt6u9mbJeC4a8AgQrAAICCgDEA/Pg XwNjUOuw6yqZdmSuHSG4o9E9q+bJI6YHwk9tlIil6CR2vwIwKkvWpZUvPCDeRepk7y6BlaK+ O0EpXc375E461DCfmE0Q8IF5cIQ5drAnOY7IXEGm8rTSN1/0FKiDTzF/v79ZdogUx1TsvQbm 55xAsnO08QG8eDRsrDCHpK6Q1tGoFjaBIySE/g4nNyNG+z76OXQflW48Tqq/qp7HqgQZSp/z Rx1awlYgxeU3P1IpTlqeMcigaH63ByIzFqlgcQhvKoEFjDvPDtdvOLDqOh4iEN1DTkBbGQs5 YZ2iQV2REz+Iq9pMWH5eCP32RxYdY5bd9qMvbMqwxx73eq+Y+xZW3h59SuS7Wb3EI95szwVq +AoyDRnXSnwBJjRVvwUBF7vZqrjJkruyJClCIB7KAKO1U8AjAc1xTaSp75jFhohGBBgRAgAG BQJGeylmAAoJEBcuZqdoD95WuwoAoO3WHF6VpokEgUYu44NAOv9Epdw0AKD9VNPo7lhwyldb xeJM0SX8GqEvOYhMBBgRAgAMBQJMbujMBQkH1PLmAAoJEBcuZqdoD95WcDUAoLilrOZhbhPK 8PCSboR0puyT40wzAKCOI/EJyk+1NBn0K6Kz5oX7WeEmPA== =249f -END PGP PUBLIC KEY BLOCK- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users