1996-01-30 - Signed posts (was Re: FV … Fatal Flaw …)

Header Data

From: olbon@dynetics.com (Clay Olbon II)
To: cypherpunks@toad.com
Message Hash: 3fa3e75a0561e217d2be06fec4d77d9ed491d605d3d658643536dff279e4f609
Message ID: <v01540b02ad33d3833bc4@[193.239.225.200]>
Reply To: N/A
UTC Datetime: 1996-01-30 15:07:40 UTC
Raw Date: Tue, 30 Jan 1996 23:07:40 +0800

Raw message

From: olbon@dynetics.com (Clay Olbon II)
Date: Tue, 30 Jan 1996 23:07:40 +0800
To: cypherpunks@toad.com
Subject: Signed posts (was Re: FV ... Fatal Flaw ...)
Message-ID: <v01540b02ad33d3833bc4@[193.239.225.200]>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----


Amidst all of the <exon> about the "fatal flaw", Mr. Scarenstein brings up
(amazingly) an interesting point regarding signed posts that I have wondered
about for a while.

At 5:30 PM 1/29/96, Nathaniel Borenstein wrote (highly edited!):
>Do you have my key in your key ring?  I rather  doubt it.  So what good
>would it have done?
>
>Have you downloaded my key from the net?  Assume that you have.  How do
>you know it's mine?

The issue of knowing that a signed post belongs to a particular individual
has come up often.  Clearly the best approach is verifying the key in person
  Failing that, however, I have adopted a strategy of maximizing the
probablility that the key actually belongs to me.  I do this by:

        1.  Including the fingerprint and where to get the key in my
            signed post (within the pgp sig)

        2.  Putting the key in a fairly secure place (i.e. on a machine
            controlled by my employer, but where I can check the key
            periodically

        3.  Putting the same key on the keyservers

I could (and should) also place it on my web page as well.

This is not to say that someone could not impersonate me by creating a key
and placing it in all of these places, but I think it would be difficult,
and probably not worth the effort.  I am not real worried about this threat
(but heck, if someone really wants to impersonate me, I'd be flattered).

I think these measures are probably sufficient for a mailing list level of
discussion.  Any comments? (flames >/dev/null)

        Clay



- --------------------------------------------------------------------------
Clay Olbon II            | olbon@dynetics.com
Systems Engineer         | ph: (810) 589-9930 fax 9934
Dynetics, Inc., Ste 302  | http://www.msen.com/~olbon/olbon.html
550 Stephenson Hwy       | PGP262 public key: finger olbon@mgr.dynetics.com
Troy, MI 48083-1109      | pgp print: B97397AD50233C77523FD058BD1BB7C0
    "To escape the evil curse, you must quote a bible verse; thou
     shalt not ... Doooh" - Homer (Simpson, not the other one)
- --------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMQ4mjwS4mEMx6xUNAQFkjgP/QYovJZzguQy4yQqWYZQPCpZn1oU8VaCr
14JW7XIk29F4xDHEPT8YlCvt7lJ6aYvWNbFVpmTWzj8IiAgWwDeQZVbQyA+YRuMs
w5kOF2brGAElln+j5hxtoIzvfy2lp+Jr8c6Q3yklCX6Yizt6G+Ma08HC1HkUZ2Jd
d0GSBZwk4nw=
=PF/1
-----END PGP SIGNATURE-----







Thread