[WikiEN-l] Encrypted challenge-responses for PGP/GPG key users

Todd Allen toddmallen at gmail.com
Tue May 8 23:09:55 UTC 2007 

On 5/8/07, Avi <avi.wiki at gmail.com> wrote:
> Sorry, I forgot to copy the list.
>
> From: Avi <avi.wiki at gmail.com>
> Date: May 8, 2007 1:18 PM
> Subject: Re: [WikiEN-l] Encrypted challenge-responses for PGP/GPG key users
> To: Gregory Maxwell <gmaxwell at gmail.com>
>
> Which is why at most this would be signed level 2.
>
> That is possible, on the other hand, you would ALSO have had to access
> Cyde's account and post on WP:ANI with what we were discussing, AND you
> would have had to compromise his e-mail account as well, simultaneously with
> his wiki account.
>
> I'm not saying that I would give level 3, but between the
> challenge-responses through two completely different media, and the fact
> that I imported his key months ago, before you would ever have known that I
> wanted to perform a challange response with him, makes the possibilitiy you
> mention really, really minute.
>
> Of course, it is still more likely than you forging a government-issued
> picture ID in his name, but not as likely any longer as just the standard
> MITM would be.
>
> Thoughts?
>
> --Avi
>
>
>  On 5/8/07, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> >
> > On 5/8/07, Avi <avi.wiki at gmail.com> wrote:
> >
> > http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#Suggestion_for_enhanced_Admin_identification_and_securityit
> > > may not be a poor idea for some of us to either meet in person with
> > > out
> > > fingerprints, or at the very least perform encrypted challenge-responses
> > > with each other, to create a baseline for identification purposes.
> >
> >
> > I don't see how your encrypted challenge response isn't vulnerable to
> > a MITM attack. ;)
> >
> > I.e. I claim to be cyde and  give you a key I control but which says
> > 'cyde', then I got to cyde and give him a key claiming to be you..
> > then I proxy communication between you two. :)
> >
> >
> >
> > The standard behavior for PGP web of trust is a verified identity
> > exchange, i.e. person to person with a shown ID.
> _______________________________________________
> WikiEN-l mailing list
> WikiEN-l at lists.wikimedia.org
> To unsubscribe from this mailing list, visit:
> http://lists.wikimedia.org/mailman/listinfo/wikien-l
>

No system of security is ever perfect. But at least this way we'll
have a fallback in case of disaster.

-- 
Freedom is the right to know that 2+2=4. From this all else follows.

More information about the WikiEN-l mailing list