1996-01-31 - Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)

Header Data

From: futplex@pseudonym.com (Futplex)
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Message Hash: 4f7c7ed5c9fc4151407b86faf66f58e8114480cef04ee7cbbc878d71948ee65e
Message ID: <199601300431.XAA23839@opine.cs.umass.edu>
Reply To: <Al3Ie8GMc50e0WY6IN@nsb.fv.com>
UTC Datetime: 1996-01-31 01:14:15 UTC
Raw Date: Wed, 31 Jan 1996 09:14:15 +0800

Raw message

From: futplex@pseudonym.com (Futplex)
Date: Wed, 31 Jan 1996 09:14:15 +0800
To: nsb@nsb.fv.com (Nathaniel Borenstein)
Subject: Re: Signature use and key trust (Was: Re: FV Demonstrates Fatal Flaw in Software Encryption of Credit)
In-Reply-To: <Al3Ie8GMc50e0WY6IN@nsb.fv.com>
Message-ID: <199601300431.XAA23839@opine.cs.umass.edu>
MIME-Version: 1.0
Content-Type: text/plain


Nathaniel Borenstein writes:
> Have you downloaded my key from the net?  Assume that you have.  How do
> you know it's mine?

For all intents and purposes so far, "Nathaniel Borenstein" is something that
occasionally sends mail to the cypherpunks list, apparently from nsb.fv.com.
I expect that NSB turns out to consist of more than that, but not in my own
experience. This entity persistently offers a public key from an email address
@nsb.fv.com. If I retrieved the key from that address, I would have a
reasonable expectation (though not assurance) that I could use it to verify
the integrity of signed messages emanating from that address. 

In my world, "you" == nsb@nsb.fv.com, and hence "your key" == the key I could
fetch from nsb+faq@nsb.fv.com.

> I use PGP about 20 times per day.  I use it in a manner that is
> *meaningful*.  Unless we have in some way or another verified each
> others' keys, it is meaningless for me to sign a message to you. 
> Putting a PGP signature on a message to someone who has no way of
> verifying your keys is a nice political statement, but is utterly
> meaningless in terms of adding any proof of the sender's identity.  --

I discussed the identity issue above. Assuming a corresponding key can be
found (which is clearly the case here), the signature on the message can be
verified as a MAC. It would have been nice to be able to check, for example, 
that the SHOUTING IN CAPS in your announcement wasn't just the result of some
manipulation of the message in transit to make it appear more hysterical.

FWIW, I have lost a great deal of respect for you today (unrelated to the
content of this message).

Futplex <futplex@pseudonym.com>

Version: 2.6.2