On 08/26/2011 14:18, Nicholas Cole wrote: > On Thu, Aug 25, 2011 at 7:21 PM, Doug Barton <do...@dougbarton.us> wrote:
>> http://dougbarton.us/PGP/gen_challenges.html > > Dear Doug, > > I don't mean this in a negative way, but I struggle to see the point > of such challenges. So feel free not to use them. :) > The whole point of OpenPGP is the medium across > which email is transmitted is insecure, and there is a possibility of > a MITM attack. I don't see how this sort of challenge-response does > anything other than confirm that the controller of a key that claims > to belong to a particular email address is also able to intercept and > send messages to and from that address. Yes, that is entirely the point. > The only scenario that it would protect against is where key A claimed > to belong to email address B, but actually did not, and the owner of > key A was actually unable to read messages sent to address B. 2 for 2. > In that case, OpenPGP would be providing no security, but the security > of the email system itself would be such that OpenPGP was unnecessary. > > To put it another way: if you trust the email network sufficiently for > your challenge to be useful, doesn't that mean you don't need > encryption. > > Have I missed something? Well the only thing you seem to have missed is the context in which I use the script, which is my signing other people's keys. It's part of my signing policy that I do not sign a uid unless I'm sure that the holder of the key still has access to it. Similarly this process allows me to verify that they still have access to the key(s). One could certainly argue that my doing this is verification step is overly fussy (and you wouldn't be the first), but that's my policy. Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users