cryptoanarchy.wiki

Arise, you have nothing to lose but your barbed wire fences!

1992-12-24 - Re: Signing text messages…

Header Data

From: “Doctor Zaphod” <ncselxsi!drzaphod@ncselxsi.netcom.com>
To: CypherPunks@Toad.Com
Message Hash: 852a3191002e932b24c408032d74f52632af9406a49802dea1748c28bb8347bb
Message ID: <57860.drzaphod@ncselxsi>
Reply To: N/A
UTC Datetime: 1992-12-24 00:16:27 UTC
Raw Date: Wed, 23 Dec 92 16:16:27 PST

Raw message

From: "Doctor Zaphod" <ncselxsi!drzaphod@ncselxsi.netcom.com>
Date: Wed, 23 Dec 92 16:16:27 PST
To: CypherPunks@Toad.Com
Subject: Re: Signing text messages...
Message-ID: <57860.drzaphod@ncselxsi>
MIME-Version: 1.0
Content-Type: text/plain


In Message Wed, 23 Dec 92 13:18:54 PST,
  uunet.uu.net!ghsvax!hal@netcomsv.netcom.com (Hal Finney) writes:

>Or are you suggesting that someone else could create a bogus public
>key claiming to mine, re-sign the message using that public key, and
>then get people to think it was from me?

     Perhaps they could alter the message, use a bogus public key, and
     re-sign the message.

>But no, I wouldn't, because people would (or should) know not to trust
>a random public key to be from whom it claims.  My posted key is
>signed by Phil Zimmermann.  This doesn't absolutely prove it is from
>me, but I think it makes it worthwhile to post the key.

     I didn't realize you had included a signed key.  Minus one point
     for research.  Yes, people SHOULD know not to use a publicly posted
     key.  But do they?

>Anyway, the real reason I posted the key in this case was so that
>people could check the cleartext signature to see if it had been
>mangled by various mail gateways.  That was the topic of discussion in
>the message, so I wanted to make it easy for people to try checking
>the signature.

     Then posting your public key was clearly the right thing to do.  I
     have noticed; however, that people have posted their public key
     along with a signed message before [there was a discussion on mangled,
     signed plaintext] and thought I would mention this to anybody who
     thought they were using infallible methods or authentication.

     I must urge everybody not to accept any key from a source other then
     person to person [or using a fone call to exchange MD5 hashes] unless
     it is signed by smoebody you HAVE exchanged keys with in this way.
     I hope nobody sees a message with a public key attached to it and says,
     "Oh!  There's a key I can add to my keyring", and abandons the entire
     key-exchange method.  TTFN!


     nobody saw
DrZaphod
[AC/DC] / [DnA][HP]
[drzaphod@ncselxsi.uucp]
Technicolorized

Thread