[messaging] Thoughts on keyservers

[Alaric Snell-Pym]

On 28/08/14 16:20, Michael Rogers wrote:
> Sorry for the broken formatting, writing this on my phone...
> 
>> B) If I know Bob as somebody who writes really cool blog posts
>> about something interesting, so whose opinion I value and want to
>> solicit, then "Bob" is really just my petname for this identity.
>> What I really care about is that my message is only readable by the
>> author of those posts. Seeing what key has signed those posts and
>> then using that to encrypt a message and then checking the
>> signature on the reply is what I need
> 
> This is secure only to the extent that you trust the channel by which
> you obtained the blog posts. Anyone could take those posts, strip off
> the author's signatures and sign them with another key in order to
> receive replies intended for the author.

Yes; providing security against plagiarism is another interesting topic
- and pretty tricky when the plagiarist is a MITM :-) If not, then
plagiarism can often be at least detected after the fact, by the
original turning up as well as the plagiarised version, or the original
author seeing their own content with another's signature on it. In
practice, we can reduce the impact of plagiarism on
crypto-identity-theft by making an effort to use the same
crypto-identity (or linked crypto-identities) in lots of different
environments, to make it hard to MITM them all. I use the same GPG key
to post stuff here and to sign various things on
http://www.snell-pym.org.uk/alaric/ (including references to other keys
I hold), and for other mailing lists and public mails, for instance -
from a variety of Internet connections.

ABS

-- 
Alaric Snell-Pym
http://www.snell-pym.org.uk/alaric/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140828/a7a08da9/attachment.sig>