Mark Wieder, [MW] wrote: MW> So... um... it's possible to fake a PGP-signing?
It's not really a matter of faking a signature. OK. The imposter creates a key and signs a message that contains one of my signatures. The from header also says the message is from me. I've never signed a message to this list and you proceed to verify the signature, PGP looks up the key on the keyserver and downloads it. The signature verifies as good meaning that the message hasn't been tampered with. The other vital question you need to answer is if the signature you verified was really created by a key that *I* signed with and not, instead, an imposter who simply created a key to do his evil deed. OTOH, take the current situation. I sign all my messages to the list. Everyone gets a chance, if they so choose to verify my signatures using the public key I make available via the keyservers and via the URL in my signature. You have over 2 years of messages consistently signed using the same key. The imposter who *cannot* sign with my key unless he has access to my machine and my passphrase, decides to try to impersonate me. He tries by sending a message without signing. Immediately the list members get suspicious. He sees that this will not work. He therefore signs the message. You now attempt to verify and note that PGP begins looking up a key. Alarm bells ring again since you already have my public key on your keyring. PGP shouldn't be looking for my public key. Some other key was used to sign. Again, alarm bells go off. I'll be away all of next week while I attend a conference. I'll not be able to tell you that a message seemingly from me was not in fact from me. However, I have no worries that I will be successfully impersonated. Why? I've been signing all my messages and any new ones may be verified. It doesn't matter that I'm really 'The Dude', Allie Martin from Jamaica that I claim I am. What does matter is that I'm the person who has been signing with the same key for years on this list and I've been playing moderator with said name. My key is therefore as trustworthy as it could get for the purposes of this list with regards to establishing who I am, a moderator who calls himself Allie Martin. :) -- -= allie_M =- | List Moderator PGPKeys: http://www.ac-martin.com/pgpkeys.html _
pgp00000.pgp
Description: PGP signature
________________________________________________ Current version is 2.01 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
