su. den 21. 02. 2016 klokka 16.38 (+0000) skreiv Pete Biggs:
This is not the way it's supposed to work. If I don't check the public key is trusted, why should I believe a message signed with it? Simply picking up the key with the message is tantamount to doing nothing. I must either know the key beforehand (i.e. I have it in my keyring) or I fetch it from a public server and check who vouches for it. pocThat's what I thought too. Like my friend and I. We physically checked each other's fingerprints too. We know who we are and who the key belongs too. So of course we sign it and trust it.Sorry, I've come a bit late to this bit of the conversation ... Signing a message does two things: 1) it verifies who the sender is and 2) verifies that the contents of the message haven't changed. In order to do both with any sort of veracity, you must know with absolute certainty who the key that the message is signed with belongs to. Merely adding a public key to the message does NOT enable you to do this. Remember that ANYONE can generate a PGP public/private key pair in the name of any person. So I can generate a key in Stig's name, write an email spoofing his email address sign it and add the public key to the email to "verify" the message ... would you accept it?? Even worse, I could intercept a message between Stig and his friend, edit the plain text, resign it with the bogus key and pass it on (with the public key attached so it can be "verified"). No, you absolutely MUST NOT trust a public key attached to a message unless it has been independently signed and verified by a 3rd party *that you trust*. It is only through a web of trust created by signed keys that you can be reasonably certain that new keys are correct; and similarly, you must only sign keys that you know WITH ABSOLUTE CERTAINTY belong to the person. I have been involved with CERT PGP key signing parties in the past where the only valid form of identification is a passport and the person must be physically present - but you do get a key that most people trust! P.
Extremely useful information, a lesson to learn by heart. If not their passport (I know that in some cases it's the only valid ID), at least I have the habit of meeting people face to face, like people I really trust, before signing and trusting their key. I only encrypt to people I trust IF the message requires it. And I have other computers and emails for that too. But I also agree with Snowden. Sensitive, personal letters to friends, family, co-workers and the like, is a good habit. Tails/Tor, Signal for phone ... Strange times, and we should protect ourselves - if we know how to do it. There's good quality from people in here. I choose to listen, learn - and then make my own choices. Stig
Attachment:
signature.asc
Description: This is a digitally signed message part