Sorry, I forgot to copy the list.
From: Avi avi.wiki@gmail.com Date: May 8, 2007 1:18 PM Subject: Re: [WikiEN-l] Encrypted challenge-responses for PGP/GPG key users To: Gregory Maxwell gmaxwell@gmail.com
Which is why at most this would be signed level 2.
That is possible, on the other hand, you would ALSO have had to access Cyde's account and post on WP:ANI with what we were discussing, AND you would have had to compromise his e-mail account as well, simultaneously with his wiki account.
I'm not saying that I would give level 3, but between the challenge-responses through two completely different media, and the fact that I imported his key months ago, before you would ever have known that I wanted to perform a challange response with him, makes the possibilitiy you mention really, really minute.
Of course, it is still more likely than you forging a government-issued picture ID in his name, but not as likely any longer as just the standard MITM would be.
Thoughts?
--Avi
On 5/8/07, Gregory Maxwell gmaxwell@gmail.com wrote:
On 5/8/07, Avi avi.wiki@gmail.com wrote:
http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Inciden...
may not be a poor idea for some of us to either meet in person with out fingerprints, or at the very least perform encrypted challenge-responses with each other, to create a baseline for identification purposes.
I don't see how your encrypted challenge response isn't vulnerable to a MITM attack. ;)
I.e. I claim to be cyde and give you a key I control but which says 'cyde', then I got to cyde and give him a key claiming to be you.. then I proxy communication between you two. :)
The standard behavior for PGP web of trust is a verified identity exchange, i.e. person to person with a shown ID.