Michael Kallas wrote:
David Shaw schrieb:
I've been away on vacation and only picked up this thread now. This
statement is not correct. Back in the PGP 2.x days, this might have
been true, but with OpenPGP, there is no particular requirement that
the ability to sign and the ability to decrypt are connected. You can
have a shared key with separate capabilities.
Sending an signed key via encrypted mail does not ensure anything
about the key owner.
Why not?
Sorry, this conclusion was too fast for me, could you please explain a
little bit?
Suppose you send an email to Address W and encrypt an authentication
token to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.
This tells you that /someone/ with access to W has recieved a message;
/someone/ with access to X has decrypted it; /someone/ with access to Z
has signed a reply; and /someone/ with access to Y has sent a reply.
Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may or
may not have been faked (which is trivial).
The owners of W, X, Y and Z could be four different people, or they
might not be people at all; all you can really say about the key owner
is that X is in contact with W and Z, and Z is in contact with X and Y.
--
Alphax
Death to all fanatics!
Down with categorical imperative!
OpenPGP key: http://tinyurl.com/lvq4g
signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
