1996-04-08 - Re: Why sign pubkey?

Header Data

From: norm@netcom.com (Norman Hardy)
To: ebear@laplaza.taos.nm.us (Bear Albrecht)
Message Hash: 2892e004fb11fb47163e5322f9ca23b166269e64a702fb0e128f0cb21c6b3882
Message ID: <ad8e59160002100407e9@DialupEudora>
Reply To: N/A
UTC Datetime: 1996-04-08 09:21:22 UTC
Raw Date: Mon, 8 Apr 1996 17:21:22 +0800

Raw message

From: norm@netcom.com (Norman Hardy)
Date: Mon, 8 Apr 1996 17:21:22 +0800
To: ebear@laplaza.taos.nm.us (Bear Albrecht)
Subject: Re: Why sign pubkey?
Message-ID: <ad8e59160002100407e9@DialupEudora>
MIME-Version: 1.0
Content-Type: text/plain


Thanks for the post. There is someone with a quite legitimate reason to
sign a newly generated public key with "Norman Hardy" in the user id string
but without my my e-mail address. He is one of the several other Norman
Hardy's in the U.S.  I could include a very short biography which would fix
that ambiguity.

I only send secrets to people that I have some reason to trust. I gain
trust sometimes from having met someone in person and talked for a few
hours. If I get a business card with a key finger print and e-mail address
(or URL) then I am safe from such spoofing as described in your post. Her
name plays no role in the transaction.

If I trust her because you recommended her to me, then perhaps I can get a
fingerprint and URL from you. Again I need no name.

In both of these cases the URL is merely a convenience. If she moves her
web page, a search engine will soon find it given a part of the finger
print included in the web page. Unless the attacker has compromised the
search engine, I need merely send mail enciphered by her public key to the
e-mail address given in each web page claiming to own the public key. Only
she will be able to read the mail.

Recommendation:
  Put URL & finger print on business cards.
  Include URL and finger print in recommendations.

  To send a secure message to some whose URL & trusted print you have:
    Check the URL for a public key whose print matches the trusted print.
      If that fails use a search engine for a better URLs.
    Send mail to each e-mail address found on a web page passing the test.

Recommendations should include a little text about what things the designee
should trusted with. Programs like PGP that follow trust chains should
display the text from each recommendation in the chain.







Thread