[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Enigmail] New user part 2 Mika Suomalainen Tue Apr 10 11:02:24 2012

On 10.04.2012 20:41, Robert J. Hansen wrote:
> On 4/9/12 6:06 PM, Kristian Fiskerstrand wrote:
>> To some extent I disagree with your points (b,c). In my opinion 
>> providing a signature can also be useful without specifying a trust 
>> level of the sender's key - especially on a mailing list, as it
>> allows you to verify that both message A and message B is coming from
>> sender S. This can have value even though you haven't verified S's
>> key and specified a trust level of the key to the extent imposter I
>> sends message C claiming to be sender S.
> Nope.
> A few years ago over on PGP-Basics one particular person was claiming
> this.  And not just claiming it politely, as you are, but making a big
> shouting fit every time someone posted a non-signed message to the list.
>  He made the same argument you did.
> John Moore, John Clizbe and I decided we'd make a point.  We shared a
> keypair among the three of us and started using this to sign all our
> posts.  We never uploaded the certificate to the keyservers.
> This person who was screaming the loudest about the benefits of signed
> messages thanked us for how we were now signing our messages.
> Nobody noticed we were all using the same certificate for ... I don't
> recall.  I think it was at least three months, though.  Some people were
> very angry with us for our shenanigans, but (forgive me for speaking for
> the three of us: John Clizbe will certainly correct me if I'm wrong) we
> thought it was a useful demonstration of why signed messages from
> unknown, untrusted individuals are not as useful as people like to think.
> It's also worth noting: we weren't trying to fool anyone.  We were quite
> openly using the same certificate.  There were, are, many things we
> could have done in order to make our skulduggery more difficult to
> detect.  We made it as easy as possible for people to notice, and it
> still took an entire mailing list months and probably almost 100
> messages between the three of us to notice, "hey, these three guys are
> using the same certificate...".
> _______________________________________________
> Enigmail mailing list
> https://www.mozdev.org/mailman/listinfo/enigmail

If someone of them was automatically receiving missing keys, he/she
would have noticed that immediately by seeing that gpg complains about
same key missing for three users.

By automatically receiving keys, I don't only mean Enigmail's "get key
for signature verification from this keyserver" option, but
> keyserver-options auto-key-retrieve no-include-revoked verbose

Mika Suomalainen
gpg --keyserver pool.sks-keyservers.net --recv-keys 4DB53CFE82A46728
Key fingerprint = 24BC 1573 B8EE D666 D10A  AA65 4DB5 3CFE 82A4 6728

Enigmail mailing list