On 28/08/14 16:20, Michael Rogers wrote: > Sorry for the broken formatting, writing this on my phone... > >> B) If I know Bob as somebody who writes really cool blog posts >> about something interesting, so whose opinion I value and want to >> solicit, then "Bob" is really just my petname for this identity. >> What I really care about is that my message is only readable by the >> author of those posts. Seeing what key has signed those posts and >> then using that to encrypt a message and then checking the >> signature on the reply is what I need > > This is secure only to the extent that you trust the channel by which > you obtained the blog posts. Anyone could take those posts, strip off > the author's signatures and sign them with another key in order to > receive replies intended for the author.
Yes; providing security against plagiarism is another interesting topic - and pretty tricky when the plagiarist is a MITM :-) If not, then plagiarism can often be at least detected after the fact, by the original turning up as well as the plagiarised version, or the original author seeing their own content with another's signature on it. In practice, we can reduce the impact of plagiarism on crypto-identity-theft by making an effort to use the same crypto-identity (or linked crypto-identities) in lots of different environments, to make it hard to MITM them all. I use the same GPG key to post stuff here and to sign various things on http://www.snell-pym.org.uk/alaric/ (including references to other keys I hold), and for other mailing lists and public mails, for instance - from a variety of Internet connections. ABS -- Alaric Snell-Pym http://www.snell-pym.org.uk/alaric/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
