From: norm@netcom.com (Norman Hardy)
To: ebear@laplaza.taos.nm.us (Bear Albrecht)
Message Hash: 2892e004fb11fb47163e5322f9ca23b166269e64a702fb0e128f0cb21c6b3882
Message ID: <ad8e59160002100407e9@DialupEudora>
Reply To: N/A
UTC Datetime: 1996-04-08 09:21:22 UTC
Raw Date: Mon, 8 Apr 1996 17:21:22 +0800
From: norm@netcom.com (Norman Hardy)
Date: Mon, 8 Apr 1996 17:21:22 +0800
To: ebear@laplaza.taos.nm.us (Bear Albrecht)
Subject: Re: Why sign pubkey?
Message-ID: <ad8e59160002100407e9@DialupEudora>
MIME-Version: 1.0
Content-Type: text/plain
Thanks for the post. There is someone with a quite legitimate reason to
sign a newly generated public key with "Norman Hardy" in the user id string
but without my my e-mail address. He is one of the several other Norman
Hardy's in the U.S. I could include a very short biography which would fix
that ambiguity.
I only send secrets to people that I have some reason to trust. I gain
trust sometimes from having met someone in person and talked for a few
hours. If I get a business card with a key finger print and e-mail address
(or URL) then I am safe from such spoofing as described in your post. Her
name plays no role in the transaction.
If I trust her because you recommended her to me, then perhaps I can get a
fingerprint and URL from you. Again I need no name.
In both of these cases the URL is merely a convenience. If she moves her
web page, a search engine will soon find it given a part of the finger
print included in the web page. Unless the attacker has compromised the
search engine, I need merely send mail enciphered by her public key to the
e-mail address given in each web page claiming to own the public key. Only
she will be able to read the mail.
Recommendation:
Put URL & finger print on business cards.
Include URL and finger print in recommendations.
To send a secure message to some whose URL & trusted print you have:
Check the URL for a public key whose print matches the trusted print.
If that fails use a search engine for a better URLs.
Send mail to each e-mail address found on a web page passing the test.
Recommendations should include a little text about what things the designee
should trusted with. Programs like PGP that follow trust chains should
display the text from each recommendation in the chain.
Return to April 1996
Return to “norm@netcom.com (Norman Hardy)”
1996-04-08 (Mon, 8 Apr 1996 17:21:22 +0800) - Re: Why sign pubkey? - norm@netcom.com (Norman Hardy)