[messaging] twitter and github as key validators [was: Re: key validation rules for today]

Tobias Mueller muelli at cryptobitch.de
Tue Sep 9 14:25:43 PDT 2014


On Tue, Sep 09, 2014 at 01:09:17PM -0700, Tony Arcieri wrote:
> If you have your key fingerprint published through many channels, someone
> concerned with actually verifying your key fingerprint can check them all
> to ensure they match. If there's a discrepancy, something is probably amiss.
What is missing, for me at least, in this statement is that the very same channel
is used.  Namely the Web via your Web browser.  I consider this channel to be
easily attackable plus the attack to subvert the proposed verification algorithm
easily mountable.  It's a mere 's/old_fingerprint/corrupted_fp/g' operation.

You might not have that attacker or threat model in mind when assessing the
security of the proposed scheme.  Some others do.  Those people, as it has already
been written, wouldn't want to depend solely on that scheme to verify keys.


More information about the Messaging mailing list