Re: Authenticating public keys...
David T-G [EMAIL PROTECTED] writes: % What do you guys do? Put up with the warning? Sign the key even if % you're not sure? Use the X-PGP-Fingerprint header as a second % validation? Use fingerprints in signatures? I just put up with it unless I have the opportunity to meet up with someone. I'm considering using --lsign-key to keep things quiet but I then need to figure out how to differentiate between locally signed and globally signed keys for when I care. I accidentally used --lsign-key once, and I recall having a bitch of a time when my friend and I couldn't figure out why my signature wasn't showing up on his key on the keyservers :P I think the best practice is to just not sign a key unless you meet in person and verify identity, otherwise, just deal with the warning. (it is there for a reason, after all :) ttyl, -- Josh Huber
Authenticating public keys...
I'm really enjoying GnuPG, especially the auto-fetch feature for unknown keys (which never worked for me in PGP). As I accumulate public keys, I'd like to lsign the keys (--lsign-key cmdarg) to remove that little warning. Unfortunately, there's no good way to authenticate the key. What do you guys do? Put up with the warning? Sign the key even if you're not sure? Use the X-PGP-Fingerprint header as a second validation? Use fingerprints in signatures? We should have a little poll. :-) Thanks, js. -- Jean-Sebastien Morisset, Sr. UNIX Administrator [EMAIL PROTECTED] Personal Homepage http://jsmoriss.mvlan.net/ This is Linux Country. On a quiet night you can hear Windows NT reboot! please pgp encrypt all correspondence PGP signature
Re: Authenticating public keys...
Thus spake Jean-Sebastien Morisset ([EMAIL PROTECTED]): What do you guys do? Put up with the warning? Sign the key even if you're not sure? Use the X-PGP-Fingerprint header as a second validation? Use fingerprints in signatures? Personally, I put up with the warning and sign the key only when I've verified the fingerprint by phone or in person. Then again, I'm trying to go strictly by the book even though I don't have very high security needs. -- | Justin R. Miller / [EMAIL PROTECTED] / 0xC9C40C31 | Of all the things I've lost, I miss my pants the most. -- PGP signature
Re: Authenticating public keys...
J-S -- ...and then Jean-Sebastien Morisset said... % I'm really enjoying GnuPG, especially the auto-fetch feature for unknown % keys (which never worked for me in PGP). As I accumulate public keys, I'd *grin* Ah, the bliss of using the proper tool :-) % like to lsign the keys (--lsign-key cmdarg) to remove that little warning. % Unfortunately, there's no good way to authenticate the key. Yep. % % What do you guys do? Put up with the warning? Sign the key even if you're % not sure? Use the X-PGP-Fingerprint header as a second validation? Use % fingerprints in signatures? I just put up with it unless I have the opportunity to meet up with someone. I'm considering using --lsign-key to keep things quiet but I then need to figure out how to differentiate between locally signed and globally signed keys for when I care. % % We should have a little poll. :-) Here ya go :-) % % Thanks, % js. :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! PGP signature
Re: Authenticating public keys...
* Jean-Sebastien Morisset ([EMAIL PROTECTED]) [010917 13:15]: I'm really enjoying GnuPG, especially the auto-fetch feature for unknown keys (which never worked for me in PGP). As I accumulate public keys, I'd like to lsign the keys (--lsign-key cmdarg) to remove that little warning. Unfortunately, there's no good way to authenticate the key. What do you guys do? Put up with the warning? Sign the key even if you're not sure? Use the X-PGP-Fingerprint header as a second validation? Use fingerprints in signatures? Well, your signature on a key is your certification that this key actually belongs to this person. Don't go and sign a key unless you're willing to make that statement; it defeats the whole purpose! For similar reasons, an email header or a .signature provides *NO* added information that this key is being used legitimately; if I made a bogus key that said Jean-Sebastien Morisset I could send mail to the list with a signature that other people would see came from YOU. What's to stop me (as a malicious forger) from also inserting the key's fingerprint in the mail? Therefore, seeing a fingerpring in a header or signature adds no trust that the key being used is valid. Worse yet, what if I was able to intercept your email via a man-in-the-middle attack? I could strip out your signature and your fingerprint, and insert my own. If people took it at face value yeah, that looks like a js post; there's his signature, there's his fingerprint and decided to trust that key, this would be bad, bad news for you. What if someone then wanted to send an encrypted message to you? They do so using the public key I referenced in the email I'd been altering, and now I can see the encrypted message. Not very secure, is it? The system is only as trustworthy as far as its keys can be trusted. If you don't like seeing a warning that you can't trust this key, you have a few options: 1. validate the key yourself. Find the person whose key it is and verify it with them by asking to see their passport and checking that their fingerprint is the same as the fingerprint on your keyring. Then sign their key. 2. Don't verify signatures made with untrusted keys. Tell mutt not to automatically verify signatures, and just do it manually when you get an email from someone whose key you trust. 3. Take the warning for what it means: This is a good signature with this key, but there is no indication that this key belongs to the person it claims to belong to. We should have a little poll. :-) The first option would be best for the web of trust, but personally I'm using #3. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M' PGP signature
Re: Authenticating public keys...
--uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, 17 Sep 2001 at 16:12:25 -0400, Jean-Sebastien Morisset wrote: [...] What do you guys do? Put up with the warning? Sign the key even if you're not sure? Use the X-PGP-Fingerprint header as a second validation? Use fingerprints in signatures? =20 We should have a little poll. :-) I put up with the warnings until i can verify a key, as doing otherwise defeats their purpose, and the web of trust. Like other have said, using fingerprints from the email header as validation is a really bad idea, as they're exactly as easy to forge as the signature itself. I'm not of the meeting-in-person-or-over-the-phone-is-the-only-way school though, as even that can be forged with a bit of planning and luck. (Someone's phone can be answered by a malicious person impersonating him, and you won't even know the difference if you haven't heard either party's voice before, or an impersonator could show up at an informal key-signing party without the real person's knowledge, and so on.) It's also in many cases difficult to organise meatspace meetings, with people situated all over the world and all that. So i think the most realistic way to verify keys is to get fingerprints from as many independant sources as possible, and basing your overall trust on the sum of each individual source's trust, if that makes sense. For example, if i can obtain matching fingerprints for many of the FreeBSD core team members' public keys via: - the various online mirrors of the FreeBSD Handbook - a copy of the same handbook from an official release CD - their personal homepages - multiple mailing list postings I'll consider the key trusted, without the slightly inconvenient step of flying abroad and organising a meeting. So the key (no pun intended) to making your public key easily and securely verifiable is to have as many redundant copies of it spread all over the place as you can. The more difficult it is for an imposter to `fake' all the copies at once (or sequentially, while you're checking them), the better. --=20 Piet Delport [EMAIL PROTECTED] Today's subliminal thought is: --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature Content-Disposition: inline -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (FreeBSD) iD8DBQE7pq4EzRUP82sZFCcRAiQHAJ43xR3LC8BGZ5aWJa6PmTafxc3y/gCdFw09 25WU0PO5+uOSpFozgqqwrX4= =4IfA -END PGP SIGNATURE- --uQr8t48UFsdbeI+V--
Re: Authenticating public keys...
Josh -- ...and then Josh Huber said... % David T-G [EMAIL PROTECTED] writes: % % someone. I'm considering using --lsign-key to keep things quiet but % I then need to figure out how to differentiate between locally % signed and globally signed keys for when I care. % % I accidentally used --lsign-key once, and I recall having a bitch of a % time when my friend and I couldn't figure out why my signature wasn't % showing up on his key on the keyservers :P *grin* % % I think the best practice is to just not sign a key unless you meet % in person and verify identity, otherwise, just deal with the % warning. (it is there for a reason, after all :) True, and the way I'm doing things now, and it will take a bit of convincing for me to change :-) % % ttyl, % % -- % Josh Huber :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! PGP signature