About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Tue Feb 13 09:54:04 UTC 2007
Tony Arnold wrote:
> Phil Zimmerman, who invented PGP, used to sign keys at conventions etc
> or wherever he was appearing and I think you had to produce your
> passport before he would sign it. So, a key signed by Phil is likely
> top be reasonably trustworthy!
This is exactly the sort of thing someone attacking PGP likes to
hear. ;) You're assigning trust where you shouldn't because you blindly
believe PRZ's signature on a key helps make it "authentic". So getting
a PRZ endorsement becomes a very easily exploitable and reliable way to
wedge yourself into the whole digital signature process.
This is a prime example of how security is often more about how a
system can be exploited than it is about how robust the tools are.
Passports are trivial to forge, and PRZ would have had no prior
knowledge of most or any of these peoples' identities. Those things
alone make this sort of "puppy mill" key signing less than useless. An
actual, real life breach of protocol that should have never
happened, let alone be trusted. :(
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070213/3b5426d8/attachment.sig>
More information about the ubuntu-users
mailing list