-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bahh! what a wonderful article! Thank you Indra for this great topic. I
am a newbie in gpg/pgp. I have come to know some great security
structure and some of its loop holes from the article. Still, I need to
say something. I am quoting rajus message as reference and my confusion
afterwards.
{Quote from Raju's message]
Since the 'net is the most popular method of distributing public keys,
it's as easy to tamper with keys as it is to tamper with messages --
thereby defeating the very purpose of PGP itself! So it's important
that you do not trust bare keys which you have got from the Internet,
unless (a) you have contacted the owner of the key seperately *and via
a different medium, e.g. phone, fax or snail-mail* and verified the
key actually belongs to him/her, or (b) verified that the key is
signed by someone you trust.
[End of quote]
May I be sure of a person's social identity if somebody to whom I have
called, replied me that the key belongs to him. It may also happen that
he made me a fax with his key-ID. It may proves his physical identity
but should I believe his physical identity to whom I do not know at all?
How do I judge that this is the right person to whom I can trust?
[Rajus qutoe]
Each person interested in having his/her keys signed then has to prove
that they actually are that person, e.g. by means of a driving license,
a passport, credit card with photo, etc. and to orally verify that the
key details on the printed paper actually are his/hers.
[End of quote]
If a person provides provides all the above documents can be treated as
a right person to whom I can trust? Are the documents enough to prove
his identity? Is it very hard in these days to make fake documents of
those? So, how do I make sure about the person and his identity?
How do I satisfy with the level of trust of a person?
Just think about the situation, you have arranged a key signing party
and I was there with my passport, Driving License, Credit Card etc. etc.
and you got me as one of your new friends. We started sending some
encrypted message between ourselves. We came close and you liked my
gentlemanship. After some years, it is seen that we have become very
much reliable and dependable on other. One fine morning you surprised to
see my picture in the newspaper that a terrorist has been arrested and
the picture is none but myself. :-) so what will be your level of trust
at that situation? You verified my above documents before you give me
your heart.
In my opinion, trust is a level which might be changed from time to
time. There must not be any ultimate level of turst, even believe me I
may not believe those web sites also, which contain our tursted keys
too. After some days, it may also be come forward that they are doing
some forgery behind their trusted face.
Is it at all required to mix these turst and identity between our
friendship? We are not going to transfer our Internet Banking Log in ID
and password with you. I think you will do that in some other fashion or
only to them to whom you really trust as your son or your father.
LUG is for fellowship and it is a good forum to learn things. So, if we
treat our LUG from that point of view, I feel many problem will be
solved but your message is really an alarm to all of us and I respect
your view for making us aware of the fact.
Regards
Anindya Banerjee
Indranil Das Gupta wrote:
> Hi,
>
> On Mon, 2005-08-22 at 22:10 +0530, Jaybrata Bhattacharyya wrote:
>
>>we can build a web of trust at the mailing list level. at least we know
>>that the email addresses are valid and belong to those who post to this
>>list. so why not start a list level key signing part now?
>
>
> Sorry to be a party pooper! but what you are suggesting has an inherent
> fallacy... you are right that the email addresses used to post are valid
> (as in working email addresses) but that does not really prove that
> people behind the email ids are actually who they claim to be (thats a
> very basic requirement for any web-of-trust scenario)
>
> A certain protocol is needed to be *strictly* observed at key-signing
> party. Please go through this rather long post from ILUG-Delhi m/l
> archives.
>
> http://www.mail-archive.com/[email protected]/msg00279.html
>
> [FWIW, Raju *is* a nationally recognised security expert and had hosted
> quite a few key signing parties for ILUG-Delhi.]
>
> cheers,
> -indra.
>
>
>>- --
>>jaybrata
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDC1n+QsgTNm4Jvc4RAmnDAKDBqQBLguurN3tKcccqFkWLAb3WzgCg3yn6
Vcp82mhosNlxG54Es90MKNU=
=aZEB
-----END PGP SIGNATURE-----
--
To unsubscribe, send mail to [EMAIL PROTECTED] with the body
"unsubscribe ilug-cal" and an empty subject line.
FAQ: http://www.ilug-cal.org/node.php?id=3
