[Foundation-l] OT: Re: PGP-keysign at the tech/chapter-meeting

Aryeh Gregor Simetrical+wikilist at gmail.com
Sun Apr 5 01:03:58 UTC 2009 

On Sat, Apr 4, 2009 at 6:37 AM, Jussi-Ville Heiskanen
<cimonavaro at gmail.com> wrote:
> Personally (even though I don't have tattoos) I think I
> could give details of myself that would be somewhat
> difficult to forge on short notice. The index finger of
> my right hand sports a completely healed up lack
> of nail. That is to say my index finger has a shrunken
> leathery surface where usually there would be a nail.

Okay, great.  So if someone shows up with an index finger like yours,
there are two possibilities:

1) Someone forged this e-mail from you that I was relying on, and the
key I just signed is bogus.

2) This e-mail from you is legitimate, so the key is legitimate.  But
in this case, why didn't you just skip the middle-man and include the
public key in your e-mail and have me sign it from there?

Getting a public key from someone who you've only communicated with
via e-mail can *never* be more secure than just getting the key via
e-mail somehow.  As far as I'm concerned, you may as well not exist in
real life at all.  I've only read your e-mails.  Your real-life
identity isn't necessary or even useful to my verification of the
identity I care about, viz., your e-mail identity.

The secure way to do key-signing in situations like this is to attach
a GPG signature to every e-mail you send.  If you attach the same
public key to every single e-mail you send for a few years, then
there's no question about whether the key is yours.  Whoever is
writing the e-mails is the one whose private key is used to sign the
mail, period.  If all the e-mails you've ever sent are forged, and I
only know about you by reading the e-mails, then you *are* the forger
as far as I'm concerned.

Similarly, my identity can be verified by the fact that I've had
commit access and toolserver access for a couple of years based on my
private key.  So you know (or at least, whoever has access to a secure
list of public keys of committers or toolserver users knows) that
whoever controls that private key is the one who's been doing all
those commits and things, which has pretty much got to be the same
person who's been posting on mailing lists and so on.  *That* is
secure.


Key-signings are probably a fun social event, though, even if they
aren't worth much from a security standpoint, so don't mind me.  :)

More information about the foundation-l mailing list