1996-05-08 - Re: Senator Leahy’s Public Key

Header Data

From: “msmith” <msmith@rebound.slc.unisys.com>
To: cypherpunks@toad.com
Message Hash: d111b131da56333523bd3a58516a5c0c31e7c03d17d4258d264cb096b8c1ab89
Message ID: <199605071951.TAA14244@rebound.slc.unisys.com>
Reply To: <199605050623.XAA17801@netcom8.netcom.com>
UTC Datetime: 1996-05-08 04:26:01 UTC
Raw Date: Wed, 8 May 1996 12:26:01 +0800

Raw message

From: "msmith" <msmith@rebound.slc.unisys.com>
Date: Wed, 8 May 1996 12:26:01 +0800
To: cypherpunks@toad.com
Subject: Re: Senator Leahy's Public Key
In-Reply-To: <199605050623.XAA17801@netcom8.netcom.com>
Message-ID: <199605071951.TAA14244@rebound.slc.unisys.com>
MIME-Version: 1.0
Content-Type: text


Bill Frantz said:
> The more I think about Senator Leahy's public key, the more I keep coming
> back to a point I only alluded to before.
> 
> How do we know the key is actually his key?
> 
> The key is only self signed.  It could be a fake.  If, as I have assumed,
> its primary use will be to sign public statements posted to the net, how
> will we know they are actually from Senator Leahy, and not some impostor?
> 
> I strongly urge the senator to join the web of trust and get some other
> signatures on his key.

Actually, I've been thinking about this, and how do we *really* know that
*anyone's* keys are actually theirs?  I'm new to this list and have been 
collecting some of the keys from people who post with PGP signatures, but 
even at that, I never certify them myself because I am not 100% absolutely
certain that the key in question belongs to that person.  After all, what
if some clever hacker dropped in and replaced someone's .plan file, or 
edited their index.html file?  There's no real way to be absolutely 
certain.

How certain are we that the keyservers are 100% bulletproof?  Hell, I 
could call Joe Schmoe up and say "tell me your fingerprint", but how do I 
*really* know I'm talking to Joe unless I knew him before getting his 
signature?  

Just some thoughts about some of the basic flaws in this sort of system.  

BTW, I collect the signatures because I have a patched version of Elm which
goes out and automatically tries to verify all PGP signed messages, and 
it's kind of annoying when it can't find the signature (all sorts of junk
goes sprawling up my screen).  


> Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
> (408)356-8506     | lost jobs and  | 16345 Englewood Ave.
> frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA

-- 
Matt Smith - msmith@unislc.slc.unisys.com
"Nothing travels faster than light, with the possible exception of bad news, 
which follows its own rules." - Douglas Adams, "Mostly Harmless"
Disclaimer:  I came up with these ideas, so they're MINE!





Thread