Den 7 dec. 2016 20:37 skrev "Bjarni Runar Einarsson" <b...@pagekite.net>:
Signatures don't just prove that the content is authentic, in practice they also work in the other direction - associating content and online identity with the signing key. A large amount of e-mails, consistently authored by the same persona and signed by the same key is as strong a signal of trustworthiness (of the key) as anything the web of trust or keyservers can provide. In many ways, it's stronger and more practical, because I probably care more about communicating with the person that wrote all those messages, than I care about government issued IDs or how diligent the author is at updating keyservers or attending keysigning parties. Um, in my opinion. I don't know if there is research which quantifies these assertions. So take with as many grains of salt as you feel appropriate. :-) How to defeat a chess grandmaster; Play as a proxy between two chess grandmasters. Just copy their moves, let them play each other while both of them just see *your* face. There's typically nothing in the data binding the actions to your identity. Somebody persistent enough can silently substitute keys indefinitely if you have no alternative communications channel. You would have to proactively search for people mimicking your behavior if you want to defend against this, and spread around your public key and profile as much as you can to reduce the risk of getting impersonated without you realizing it. If you're not unique and and notable enough, chances are nobody would even detect a casual attempt at impersonation / proxying communications. Age of an online persona does help (increased chance of detection by the impersonated), but isn't a guarantee.
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
