On Saturday 02 August 2003 4:13, Shaul Karl wrote: > On Fri, Aug 01, 2003 at 11:30:25PM +0300, Dan Armak wrote: > > Hi all, > > Hello, > > > 1. What we actually check when we look at someone's ID card/driver's > > license/ passport/etc, is that he's an Israeli (or other) citizen under > > that name. But we don't actually check he has access to the private key > > in question. After all, everyone knows my pub key ID and fingerprint. > > This may be a hole hard to exploit, but I still don't like it. > > > > Possible solution: create a test text/file on the spot at the keysigning > > party and require participants to sign it, thus demonstrating they indeed > > have the private key. The problem with this is that everyone would have > > to bring a laptop or have access to an utterly trustable machine, so it > > seems impractical at this point. > > > > If and when we get keypair-based digital IDs instead of paper ones, there > > should also be commodity carryable devices used to sign with those keys, > > so this poblem will be solved. Any other solutions meanwhile? > > 1. Not a full solution but still. Have the place of the key signing > party have a net access and an ssh client so that people that can > access their private key with ssh would be able to remote sign it. > Somewhat alleviate the utterly trustable machine problem, unless > there is no facility to gpg remotely or some other issue that I > missed.
If the box you're sshing from isn't trustable, you can't use it. It might have a keylogger that'll log your ssh password and key passphrase. Or even a modified ssh that won't close the connection when you think it did, and continue to extract info or cause damage to your remote box. > 2. I believe we can build a reasonable ring of trust already. Not a > first hand signing but should be pretty close due to the small > community and the small depth of the existing rings. A reaasonable solution requires people to actually use their keys all the time... Why don't you, everyone? -- Dan Armak Matan, Israel Public GPG key: http://dev.gentoo.org/~danarmak/danarmak-gpg-public.key Fingerprint: DD70 DBF9 E3D4 6CB9 2FDD 0069 508D 9143 8D5F 8951
pgp00000.pgp
Description: signature
