[WikiEN-l] Encrypted challenge-responses for PGP/GPG key users

[Avi]

Sorry, I forgot to copy the list.

From: Avi <avi.wiki at gmail.com>
Date: May 8, 2007 1:18 PM
Subject: Re: [WikiEN-l] Encrypted challenge-responses for PGP/GPG key users
To: Gregory Maxwell <gmaxwell at gmail.com>

Which is why at most this would be signed level 2.

That is possible, on the other hand, you would ALSO have had to access
Cyde's account and post on WP:ANI with what we were discussing, AND you
would have had to compromise his e-mail account as well, simultaneously with
his wiki account.

I'm not saying that I would give level 3, but between the
challenge-responses through two completely different media, and the fact
that I imported his key months ago, before you would ever have known that I
wanted to perform a challange response with him, makes the possibilitiy you
mention really, really minute.

Of course, it is still more likely than you forging a government-issued
picture ID in his name, but not as likely any longer as just the standard
MITM would be.

Thoughts?

--Avi


 On 5/8/07, Gregory Maxwell <gmaxwell at gmail.com> wrote:
>
> On 5/8/07, Avi <avi.wiki at gmail.com> wrote:
>
> http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#Suggestion_for_enhanced_Admin_identification_and_securityit
> > may not be a poor idea for some of us to either meet in person with
> > out
> > fingerprints, or at the very least perform encrypted challenge-responses
> > with each other, to create a baseline for identification purposes.
>
>
> I don't see how your encrypted challenge response isn't vulnerable to
> a MITM attack. ;)
>
> I.e. I claim to be cyde and  give you a key I control but which says
> 'cyde', then I got to cyde and give him a key claiming to be you..
> then I proxy communication between you two. :)
>
>
>
> The standard behavior for PGP web of trust is a verified identity
> exchange, i.e. person to person with a shown ID.