Michael Kallas wrote: > David Shaw schrieb: >> I've been away on vacation and only picked up this thread now. This >> statement is not correct. Back in the PGP 2.x days, this might have >> been true, but with OpenPGP, there is no particular requirement that >> the ability to sign and the ability to decrypt are connected. You can >> have a shared key with separate capabilities. >> >> Sending an signed key via encrypted mail does not ensure anything >> about the key owner. > Why not? > Sorry, this conclusion was too fast for me, could you please explain a > little bit? >
Suppose you send an email to Address W and encrypt an "authentication
token" to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.
This tells you that /someone/ with access to W has recieved a message;
/someone/ with access to X has decrypted it; /someone/ with access to Z
has signed a reply; and /someone/ with access to Y has sent a reply.
Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may or
may not have been faked (which is trivial).
The "owners" of W, X, Y and Z could be four different people, or they
might not be people at all; all you can really say about the "key owner"
is that X is in contact with W and Z, and Z is in contact with X and Y.
--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
