Nathaniel Suchy writes: > I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign > a message. However how do we know a key is real? What would stop me from > creating a new key pair and uploading it to the key servers? And from there > spoofing identity?
The traditional answer, which amazingly nobody has mentioned in this thread, is called the PGP web of trust. https://en.wikipedia.org/wiki/Web_of_trust In the original conception of PGP, people were supposed to sign other people's keys, asserting that they had checked that those keys were genuine and belonged to the people they purported to. This is used most successfully by the Debian project for authenticating its developers, all of whom have had to meet other developers in person and get their keys signed. Debian people and others still practice keysigning parties. https://en.wikipedia.org/wiki/Key_signing_party This method has scaling problems, transitive-trust problems (it's possible that some people in your extended social network don't understand the purpose of verifying keys, or even actively want to subvert the system), and the problem that it reveals publicly who knows or has met whom. For example, after a keysigning party, if the signatures are uploaded to key servers, there is public cryptographic evidence that all of those people were together at the same time. So there is a lot of concern that the web of trust hasn't lived up to the expectations people had for it at the time of PGP's creation. People also don't necessarily check it in practice. Someone made fake keys for all of the attendees of a particular keysigning party in 2010 (including me); I've gotten unreadable encrypted messages from over a dozen PGP users as a result, because they believed the fake key was real or because software auto-downloaded it for them without checking the signatures. If you did try to check the signatures but didn't already have some genuine key as a point of reference, there's also this problem: https://evil32.com/ -- Seth Schoen <sch...@eff.org> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk