[146572] in cryptography@c2.net mail archive
Re: [Cryptography] Thoughts about keys
daemon@ATHENA.MIT.EDU (Jeremy Stanley)
Thu Sep 5 13:08:48 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 5 Sep 2013 03:24:08 +0000
From: Jeremy Stanley <fungi@yuggoth.org>
To: cryptography@metzdowd.com
In-Reply-To: <CAAKQs1-F50dFT+qxR_y2EovUKiCRL7yL=9wycqKC-kL_NcYR8A@mail.gmail.com>
X-SA-Exim-Rcpt-To: cryptography@metzdowd.com
X-SA-Exim-Mail-From: fungi@yuggoth.org
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 2013-09-04 13:12:21 +0200 (+0200), Ilja Schmelzer wrote:
> There is already a large community of quite average users which use
> Torchat, which uses onion-Adresses as Ids, which are 512 bit hashs if
> I remember correctly.
>
> Typical ways of communication in this community are "look for my
> torchat-id at forum example.net, I'm examplenick there."
[...]
You could do the same with OpenPGP keys too (look for my key at any
modern keyserver, I'm fungi@yuggoth.org there) but that misses the
possibility that in the future someone might upload a trojan key
claiming to be me and use it to sign and send them a spoofed
nefarious message, source code release tarball, git tag, whatever.
Handing them a copy of the key fingerprint gives them a means to
confirm the key they just pulled from the server is really the same
person who showed them a passport at the conference the month
before.
If there's no way for anyone to impersonate examplenick at forum
example.net then, sure, maybe simpler... but that forum is probably
not a distributed, highly available, cryptographically-verifiable
pool of key distribution API servers either.
--
{ PGP( 48F9961143495829 ); FINGER( fungi@cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi@irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui@katarsis.mudpy.org:6669 ); }
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
