on 7/12/2007 9:23 PM, Les wrote: > On Thu, 2007-07-12 at 19:02 -0700, David Boles wrote: >> on 7/12/2007 6:29 PM, Tim wrote: >>> On Thu, 2007-07-12 at 10:01 -0700, Les wrote: >>>> I am starting this thread because I see many folks signing their >>>> emails with a digital signature. >>> I don't see a problem in someone posting a signed message. I do see a >>> problem in beleiving that they are who they claim to be. There isn't >>> any verification done, it's self-signed (self created). I've yet to >>> find *any* GPG/PGP key that was counter-signed by another person, let >>> alone one that was counter-signed by someone I trust. >>> >>> I think that is a glaring omission when it comes to RPM packages, or >>> even notices about updates. Nevemind e-mails. >> There is a better chance of me being 'me' than there is of you being >> 'you'. ;-) >> >> Websites are signed, they have certificates, as well as packages are >> signed by distributions. I would much rather trust a package signed by >> Fedora than I would one without a signature. Or one that I do not know. >> >> If you, for example, used Gnupg as I do you and I could actually send >> private emails. Ones that only you and I can read. Since every server >> keeps a copy of everything that you post, not just you but everyone, just >> about anyone can read what you write. >> >> Kinda' makes you feel naked doesn't it? ;-) > Websites were signed with 64 bit and 128 bit encryption, also, and the > results of that are why we are seeing 256 and 1024 bit schemes proposed > and used. > > Assymetric encryption (PGP stuff) means that there are two keys, derived > from the original design, through either a geometric or exponential > process. Encryption itself can be viewed as noise in the communications > channel obscuring the signal. Several forms of attack are based upon > that. Assymetric processes simply add more noise, but if geometric > based the noise has a specific characteristic. Now I cannot break such > encryption schemes, but I can see that there should be means available, > just not in the traditional sense of breaking a code. I can visualize > several forms of attack, but that is for another forum. > > My question here is how safe is the process, and how do you implement it > personally to ensure it is safe? Moreover, can you estimate the risk > being taken with the information. Is it safe for a year, a day or a > century, given the resources available today? Is the process by which > the keys are distributed and used available to anyone, and can they be > falsified, and would falsification reduce the security of the process? > Where are the instructions available for implementing the process. For > example, David, your messages give me the warning Valid signature, > cannot verify sender. > > So if this is the case, how could I trust your signature in a vital > situation. In the case of double encryption, as in the case of "shared > secrecy" for PGP, how secure is the result? And how was that > determined? Today, teraflops on the desktop are a reality, and the big > guys are into thousands of petaflops (whatever the next designator might > be. My feeble brain quit counting at peta.) > > Also if parallel attacks several tens of thousands wide are attempted, > how secure it the information and for how long? If a new view of > decryption comes along, what will become of the algorithm and how will > we know when it is broken? What if I used something like n-dimensional > ffts against a noise added attack, would the key and data break apart > like virus attacked dna? > > But to keep it simple here, is there somewhere a guide that gives step > by step what do do to ensure the following: > 1. you can use pgp signatures in both sending and receiving email. > 2. Instructions for implementing, posting and using your own > signatures. > 3. the means of generating shared secret posts. > 4. what to do if you discover that your signature and encryption is > broken. > 5. some estimate of the safety of the algorithms used. This is not some 'password' that I picked out of my past. Dogs name. Mother's maiden name. My key was created with 1024 randomly generated encryption. Tell you what I will do Les. This is really stupid but just to prove a point. You don't have a key. If you did, and I used you public key for this, you could read what I am going to send to you because that is the way this works. Privately of course. I won't trouble the list with this. Something really simple, easy to find, better yet some that I *know* that you are familiar with, or should be. No tricks. But Encrypted with my key and a friends public key. When you decode it you post the results here. Honestly. I will admit it if you can do that. take as long as you like but do keep us posted over the weeks of your progress. ;-) -- David
Attachment:
signature.asc
Description: OpenPGP digital signature