[messaging] On Signed-Only Mails
natanael.l at gmail.com
Wed Dec 7 18:07:28 PST 2016
Den 7 dec. 2016 20:37 skrev "Bjarni Runar Einarsson" <bre at pagekite.net>:
Signatures don't just prove that the content is authentic, in
practice they also work in the other direction - associating
content and online identity with the signing key.
A large amount of e-mails, consistently authored by the same
persona and signed by the same key is as strong a signal of
trustworthiness (of the key) as anything the web of trust or
keyservers can provide. In many ways, it's stronger and more
practical, because I probably care more about communicating with
the person that wrote all those messages, than I care about
government issued IDs or how diligent the author is at updating
keyservers or attending keysigning parties.
Um, in my opinion. I don't know if there is research which
quantifies these assertions. So take with as many grains of salt
as you feel appropriate. :-)
How to defeat a chess grandmaster;
Play as a proxy between two chess grandmasters. Just copy their moves, let
them play each other while both of them just see *your* face.
There's typically nothing in the data binding the actions to your identity.
Somebody persistent enough can silently substitute keys indefinitely if you
have no alternative communications channel.
You would have to proactively search for people mimicking your behavior if
you want to defend against this, and spread around your public key and
profile as much as you can to reduce the risk of getting impersonated
without you realizing it.
If you're not unique and and notable enough, chances are nobody would even
detect a casual attempt at impersonation / proxying communications.
Age of an online persona does help (increased chance of detection by the
impersonated), but isn't a guarantee.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging