GPG testing...

Sat Dec 28 14:08:23 EST 2002

bscott at ntisys.com wrote:
> On Sat, 28 Dec 2002, at 1:45pm, mkomarinski at wayga.org wrote:
> 
>>Isn't one of the points of GPG to validate that the person you're talking
>>to is really who they say they are?
> 
> 
>   It validates that the sender had access to your private key.  Presumably,
> only you have access to your key, but even that is far from a given in
> anonymous communications.

They'd also need your pass phrase. They'd need your private key and your 
passphrase to forge a signature. In most cases, that mean physical 
access to your hardware and the area where you keep your passphrase 
written down (if you do such a thing). IMHO, you've got more problems in 
that case than someone simply forging signed emails.

> 
> 
>>GPG allows me to do that, by signing my e-mails.  If it's not signed, then
>>it's not from me.
> 
> 
>   Well, you can assert that, but GPG has nothing to do with it.  An unsigned
> message has no authentication information, one way or the other.  There is
> certainly nothing keeping you from sending an unsigned message.  Of course,
> people you know might beleive you when you say that if it was not signed, it
> was not from you, but presumably, if people are willing to trust your word
> on that, they would also trust your word if you just said you did not send
> the mail in question in the first place.
> 

I agree with Mr. Scott on the last part. Always signing your mails, and 
having a mailer that does autosign is great, *may* give you a level of 
comfort over not signing mails. However, you have absolutely no way to 
prove that you didn't send the non signed message that says it came from 
you.

Furthermore, there's nothing to stop a malicious person from publishing 
a key and say its for your email address and use that key to sign 
messages. Now, you might have even bigger problems depending upon what 
they want to do to you.

OpenPGP is all right as far as it goes, but there is not built-in 
authority. You have to trust your key sources and check with people you 
know before trusting any keys.

Something more like the way server certificates are handed out is 
better, IMHO. At least some presumabely competent authority checks that 
you are who you claim to be, and then issues the certificate. There's an 
audit trail and if someone tries to spoof you, there's a good chance 
you'll catch 'em. If someone sticks a key on a keyserver claiming to be 
you, there isn't anything you can do about it.