Tim: >> Yeah, I know. It makes it hard for a second person to say that >> they're John Doe, but it's still dead easy for one person to say >> they are, in the first place. >> >> If another person decide they're going to claim their John Doe, make >> a GPG/PGP key for their John Doe persona, their signed e-mails will >> show up as being valid. They are, they person who made *their* key >> also made their message. It's a different key than the other John >> Doe, of course, but your mail &/or GPG/PGP client doesn't do that >> sort of check. Todd Zullinger: > If you've got a gpg plugin for your mail that doesn't do this sort of > check and provide a way to alert the user to the fact that the keys > don't match, then that plugin is crap. John Doe <johndoe@xxxxxxxxxxx> creates his own key, signs his messages, publishes his key. You receive his message, you check the key, it's confirmed. Moriarty decides to be a pain, creates an email account to masquerade as John as well "John Doe" <johndoe@xxxxxxxxxxx>, creates his own key, signs his message, publishes his key. You receive his message, you check its key (automatically fetched by using the ID code present in the signed message), it confirms the message and signature go together. That's how every co-operative mail/PGP client I've used works. There really is nothing that either person can do to invalidate the other key. It'd take a war of words between the two people in a common forum for someone else to tell them apart. Even then, some will believe they're the same person, just playing at trolling games. It's common enough for users to have multiple addresses, and they may use separate PGP keys. I don't want to test whether a keyserver will accept being given two different keys for the same address (e.g. Moriarty faking mails sent as johndoe@xxxxxxxxxxx rather than the second address). It's just too hard to take things out the system, it doesn't have a real delete functionality. But I suspect it will. In the past I've submitted keys to keyserver, and that's included two different keys that include a common e-mail address. A mail client wanting a key would be asking for the key by ID not e-mail address. It'll get the key that matches the message they're checking. > It's also possible that many users don't understand how to work with > the pgp system and thus they ignore important pieces of information. > There is some amount of work that needs to be done by each user in > order to avoid various pitfalls. There are some unavoidable pitfalls. >> But have a look at the update notices. Those are signed by the >> person maintaining that package, I've only seen self-signed >> messages. None with a countersign to their signature. > Where are those at? I don't subscribe to the package announcement > list and looking at the archives I didn't see any signtures, so either > I'm not looking at what you're talking about or the list software is > filtering the sigs. Most aren't, I've got a few that do. Just doing a quick search, I found an old one, and attached it to this message. -- [tim@bigblack ~]$ rm -rfd /*^H^H^H^H^H^H^H^H^H^Huname -ipr 2.6.21-1.3228.fc7 i686 i386 Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7. Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
--- Begin Message ---
- To: fedora-announce-list@xxxxxxxxxx
- Subject: Fedora Core 3 Update: system-config-printer-0.6.116.1-1
- From: Tim Waugh <twaugh@xxxxxxxxxx>
- Date: Mon, 31 Jan 2005 17:55:29 +0000
- Delivery-date: Tue, 01 Feb 2005 06:47:05 +1100
- Envelope-to: lists-linux@xxxxxxxx
- Reply-to: fedora-list@xxxxxxxxxx
- User-agent: Mutt/1.4.1i
--------------------------------------------------------------------- Fedora Update Notification FEDORA-2005-087 2005-01-31 --------------------------------------------------------------------- Product : Fedora Core 3 Name : system-config-printer Version : 0.6.116.1 Release : 1 Summary : A printer configuration backend/frontend combination. Description : The printconf utility is a printer configuration and filtration system based on magicfilter (the alchemist data library) and the foomatic filter system. It rebuilds local print configuration and spool directories from data sources at lpd init time, and is integrated to use the multi-sourced features of the alchemist data library. --------------------------------------------------------------------- Update Information: Bug-fix release. --------------------------------------------------------------------- * Fri Jan 28 2005 Tim Waugh <twaugh@xxxxxxxxxx> 0.6.116.1-1 - 0.6.116.1: - Fixed LPD checkbox (bug #142978). - Allow digits at the start of the queue name (bug #121772). --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ 23e15ab52f2d5591972707526efffd48 SRPMS/system-config-printer-0.6.116.1-1.src.rpm e3d5c8599d44b6fa46e319a07e0f1b07 x86_64/system-config-printer-0.6.116.1-1.x86_64.rpm c5c50bc84f959ebb89fcfee260154cc4 x86_64/system-config-printer-gui-0.6.116.1-1.x86_64.rpm 46c1f879b2cbf8ca597d7256e2451ea8 x86_64/debug/system-config-printer-debuginfo-0.6.116.1-1.x86_64.rpm 4b604588c52bfb91f76086b8cd530ced i386/system-config-printer-0.6.116.1-1.i386.rpm b0bfd1a281952a726bccc391a7ba6c9d i386/system-config-printer-gui-0.6.116.1-1.i386.rpm b578c2549b21a86f804ccd428340ea24 i386/debug/system-config-printer-debuginfo-0.6.116.1-1.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. ---------------------------------------------------------------------Attachment: pgpjzdUOrJkyJ.pgp
Description: PGP signature-- fedora-announce-list mailing list fedora-announce-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-announce-list
--- End Message ---
