On Tue, Dec 30, 2003 at 11:54:45AM -0400, Trevor Smith typed in a frenzy: > Automatic downloading of keys makes me wonder what the use of PGP / GPG > signing really is. All it will do, in this case, is tell you that the > person who sent the message is the person who uploaded the key. Which, > in reality, tells you nothing. > Yes, I suppose keyservers will only accept one key for one email > address (is this true?) so if I'm the one who uploads a key for > trevor@xxxxxxxxxxxxxx *FIRST*, then the "real" trevor@xxxxxxxxxxxxxx > would be the one posting to this list. But even though I know this > (since I'm him), you wouldn't have any proof of it, since you don't > know I'm him. Maybe I'm someone pretending to be me and I created a key > and started sending emails to this list. Unless you emailed me > directly, you'd never know (presumably without much more sophisticated > hacking a "fake" trevor wouldn't be able to intercept my email). > > Or suppose I just created a "slightly faked" domain and address like > trevor@xxxxxxxxxxxxx (notice the missing "i" in "haligonian"), created > a key, uploaded it and started signing messages. If you auto-download > keys then you might never even notice that this is a "new" trevor. > > If you only get keys manually, you would at least have a little more > awareness of some of that spoofing and maybe more direct knowledge of > who you're communicating with. Trevor, I agree with you entirely. This is one reason why I pay such close attention to the e-mail addresses of individuals that do sign stuff. I typically don't fetch keys automatically. I have to admit though, that setting gpg to fetch those keys automatically does sound quite attractive. It can be a pain to fetch them manually, but this is only if you're fetching a ton at a time every other frickin' day. Since this isn't the case it's quite alright. But all of my diligence, I'm a moron and I have yet to put my public key up on my web page. Now how's that for stupidity. ^_^ Alex http://ghostlike.homelinux.org/security.htm (Where my key will be when I'm done bein' lazy. hehe)
