On Sunday 09 July 2006 06:27, Alphax wrote:
Michael Kallas wrote:
David Shaw schrieb:
I've been away on vacation and only picked up this thread now.
This statement is not correct. Back in the PGP 2.x days, this
might have been true, but with OpenPGP, there is no particular
requirement that the ability to sign and the ability to decrypt
are connected. You can have a shared key with separate
capabilities.
Sending an signed key via encrypted mail does not ensure anything
about the key owner.
Why not?
Sorry, this conclusion was too fast for me, could you please
explain a little bit?
The key (i.e. the primary key) could belong to a group, but only one
person of the group might be the key owner (i.e. have full access to
the key) or even no member of the group might be the key owner, but
only a superior entity like the company's CA. Moreover, each member of
the group could have a separate encryption subkey.
This example should explain why sending a signed key via encrypted mail
doesn't ensure anything about the key owner.
Of course, with respect to keys belonging to real persons rather than to
entities/companies/etc. this example is probably not that convincing.
Suppose you send an email to Address W and encrypt an authentication
token to Key X. You recieve a reply from Address Y, containing the
authentication token, which has been signed with Key Z.
This tells you that /someone/ with access to W has recieved a
message; /someone/ with access to X has decrypted it; /someone/ with
access to Z has signed a reply; and /someone/ with access to Y has
sent a reply.
Except for the Y part this is correct. But the contents of the From
address, i.e. Y, means absolutely nothing.
Keys X and Z may or may not be the same key or subkeys of the same
primary key, addresses W and Y may or may not be the same, and Y may
or may not have been faked (which is trivial).
Exactly. And therefore you shouldn't have written above and /someone/
with access to Y has sent a reply because anyone could have sent the
reply.
Regards,
Ingo
pgpTRUWqt0F0R.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users