Re: to the "forger" troll - Slackware

This is a discussion on Re: to the "forger" troll - Slackware ; "forger" troll wrote: >twenty-third alternate sock wrote: >>Let me summarize. A post signed by my PGP key >>absolutely guarantees it is my post. > >Really. And what if somebody acquired your pgp >key without your knowledge. And what if little ...

+ Reply to Thread
Results 1 to 11 of 11

Thread: Re: to the "forger" troll

  1. Re: to the "forger" troll




    "forger" troll wrote:
    >twenty-third alternate sock wrote:
    >>Let me summarize. A post signed by my PGP key
    >>absolutely guarantees it is my post.

    >
    >Really. And what if somebody acquired your pgp
    >key without your knowledge.


    And what if little green alien space babies penetrated your cranial
    protection shield, and wrapped their brain-siphon tentacles around
    your cerebral cortex, what then?


  2. Re: to the "forger" troll

    Cyberiade.it Anonymous Remailer wrote:
    quoting someone else,

    >>>Let me summarize. A post signed by my PGP key
    >>>absolutely guarantees it is my post.


    As far as I understand it a post signed with a PGP or GnuPG key
    guarantees that it was signed on a computer to which someone had the
    password to operate the key.

    As far as using one of the encryption keys to sign posts to a newsgroup,
    that surely only works if the same author has always done it. An author
    who forges headers, and/or posts, and uses an encryption key proves
    only that he or she is using an encryption key, as for that matter does
    the legitimate author when posting in an attempt to counteract the
    forger, both keys are genuine which is the one belonging to which
    author?

    Perhaps someone with more experience can explain to me where I may have
    misconceived what actually happens?
    --
    Two Ravens
    "...hit the squirrel..."

  3. Re: to the "forger" troll

    Cyberiade.it Anonymous Remailer wrote:
    quoting someone else,

    >>>Let me summarize. A post signed by my PGP key
    >>>absolutely guarantees it is my post.


    As far as I understand it a post signed with a PGP or GnuPG key
    guarantees that it was signed on a computer to which someone had the
    password to operate the key.

    As far as using one of the encryption keys to sign posts to a newsgroup,
    that surely only works if the same author has always done it. An author
    who forges headers, and/or posts, and uses an encryption key proves
    only that he or she is using an encryption key, as for that matter does
    the legitimate author when posting in an attempt to counteract the
    forger, both keys are genuine which is the one belonging to which
    author?

    Perhaps someone with more experience can explain to me where I may have
    misconceived what actually happens?
    --
    Two Ravens
    "...hit the squirrel..."

  4. Re: to the "forger" troll

    Two Ravens wrote:
    > Cyberiade.it Anonymous Remailer wrote:
    > quoting someone else,
    >
    >>>> Let me summarize. A post signed by my PGP key
    >>>> absolutely guarantees it is my post.

    >
    > As far as I understand it a post signed with a PGP or GnuPG key
    > guarantees that it was signed on a computer to which someone had the
    > password to operate the key.
    >
    > As far as using one of the encryption keys to sign posts to a newsgroup,
    > that surely only works if the same author has always done it. An author
    > who forges headers, and/or posts, and uses an encryption key proves
    > only that he or she is using an encryption key, as for that matter does
    > the legitimate author when posting in an attempt to counteract the
    > forger, both keys are genuine which is the one belonging to which
    > author?
    >
    > Perhaps someone with more experience can explain to me where I may have
    > misconceived what actually happens?


    PGP tries to establish a social network of trust; people get together
    and sign each other's keys. Thus, the "my key is better than your
    key" game gets resolved when one of the authors can produce a trusted
    intermediary who will vouch for the key.

    Here's more details:
    http://en.wikipedia.org/wiki/Pretty_...y#Web_of_trust

    - Daniel

  5. Re: to the "forger" troll

    D Herring wrote:

    > PGP tries to establish a social network of trust; people get together
    > and sign each other's keys. *Thus, the "my key is better than your
    > key" game gets resolved when one of the authors can produce a trusted
    > intermediary who will vouch for the key.
    >
    > Here's more details:
    > http://en.wikipedia.org/wiki/Pretty_...y#Web_of_trust
    >
    > - Daniel


    So a determined forger could if they wished construct a group just one
    bigger than the person whose identity they are trying to usurp. If
    someone with a need to verify their identity has a smaller circle of
    those who are willing to vouch for their bona fides, than someone who
    for whatever reason wishes to impersonate them, the one with the
    biggest circle of those willing to 'sign' their key 'wins'.

    The only solution I can see to that is to have the proof of identity
    that a government department requires, and have that attested to by
    some form of Notary Public. I believer that that was done in Spain some
    time ago with electronic signatures.
    --
    Two Ravens
    "...hit the squirrel..."

  6. Re: to the "forger" troll

    Two Ravens wrote:
    > D Herring wrote:
    >
    >> PGP tries to establish a social network of trust; people get together
    >> and sign each other's keys. Thus, the "my key is better than your
    >> key" game gets resolved when one of the authors can produce a trusted
    >> intermediary who will vouch for the key.
    >>
    >> Here's more details:
    >> http://en.wikipedia.org/wiki/Pretty_...y#Web_of_trust
    >>
    >> - Daniel

    >
    > So a determined forger could if they wished construct a group just one
    > bigger than the person whose identity they are trying to usurp. If
    > someone with a need to verify their identity has a smaller circle of
    > those who are willing to vouch for their bona fides, than someone who
    > for whatever reason wishes to impersonate them, the one with the
    > biggest circle of those willing to 'sign' their key 'wins'.
    >
    > The only solution I can see to that is to have the proof of identity
    > that a government department requires, and have that attested to by
    > some form of Notary Public. I believer that that was done in Spain some
    > time ago with electronic signatures.


    No; the idea is that, using the "six degrees of separation"[1], anyone
    can construct a chain of trusted people between themselves and the
    legitimate author.

    This personal link is required to defeat random groups of anarchists
    (or individuals with multiple pseudonyms) who generate large
    keychains. Even governments are not to be trusted; they're
    continually plagued by breakins (e.g. cracked gov server signing
    certs), bribery, and forgery -- though the notary system does provide
    a sufficient hurdle to discourage many abuses.

    - Daniel

    [1] http://en.wikipedia.org/wiki/Six_degrees_of_separation

  7. Re: to the "forger" troll


    Content-Transfer-Encoding: 8Bit


    Two Ravens wrote:
    >
    >D Herring wrote:
    >
    >> PGP tries to establish a social network of trust; people get together
    >> and sign each other's keys. *Thus, the "my key is better than your
    >> key" game gets resolved when one of the authors can produce a trusted
    >> intermediary who will vouch for the key.
    >>
    >> Here's more details:
    >> http://en.wikipedia.org/wiki/Pretty_...y#Web_of_trust

    >
    >So a determined forger could if they wished construct a group just one
    >bigger than the person whose identity they are trying to usurp. If
    >someone with a need to verify their identity has a smaller circle of
    >those who are willing to vouch for their bona fides, than someone who
    >for whatever reason wishes to impersonate them, the one with the
    >biggest circle of those willing to 'sign' their key 'wins'.
    >
    >The only solution I can see to that is to have the proof of identity
    >that a government department requires, and have that attested to by
    >some form of Notary Public. I believer that that was done in Spain some
    >time ago with electronic signatures.


    Government officials and notary publics can be bribed...

    Let's assume that I wish to associate my public key (and the
    ability to sign posts with it) with my real-life identity:
    Guy Macon.

    First, I make the following offers to anyone who wishes
    to investigate whether that key matches me:

    Search for my phone number the phone book and make a call.
    I will give you all of my key properties (Fingerprint,
    key length and KeyID).

    Send me a letter and I will, by return mail, send you a sheet
    of paper with my key and my key properties.

    Walk up to my front door and ask, and I will hand you a sheet
    of paper with my key and my key properties and I will show you
    my passport and driver's license.

    Next, I publish my key and my key properties on my
    guymacon.com website -- the one that has my name in the
    WHOIS record.

    Then I start putting my key properties in the headers of my
    Usenet posts and emails and PGP-signing the content. Post
    which are from the same news server that I have been using
    for a long time.

    Then I attend a few key signing parties and have a bunch of
    other people sign a PGP certificate containing my public key.
    I especially seek out members of my family and people who
    have worked with me or for me, and if they have a PGP ring
    I have them sign mine.

    Then I pay several certificate authorities (VeriSign/Thawte,
    Comodo, DigiCert...) to attest that the name on the credit
    card that paid for the certificate matches the public key,
    and that various public records match the address that they
    sent the bills to.

    And of course I use truecrypt to encrypt my key with a long
    memorized passphrase before storing it anywhere; we don't
    want a burgler to get the key.

    So, after I do all of that, how confident can someone be
    that the key used in all of the above is really mine?
    It is, after all, possible that some forger managed to
    steal my website, rent a house, put in a phone and have
    the phone company move my listing to it, and get a passport,
    credit card and driver's license all in my name. And this
    forger could possibly either look a lot like me or somehow
    manage to modify every photo of me everywhere. And it is
    possible that this forger might also somehow stop the real
    me from ever communicating that I am being impersonated.
    Possible, but not likely. And if someone does manage to
    do all of that, whether someone in a newsgroup trusts my
    PGP signature will be the least of my worries.

    --
    Guy Macon




  8. Re: to the "forger" troll

    On Mon, 30 Jul 2007 02:02:08 +0000, Guy Macon wrote:

    > Content-Transfer-Encoding: 8Bit
    >
    > Government officials and notary publics can be bribed...
    >
    > Let's assume that I wish to associate my public key (and the
    > ability to sign posts with it) with my real-life identity:
    > Guy Macon.
    >
    >


    I can't see your key. Why, if you are being forged and such, do you not
    use one.

    stonerfish

  9. Re: to the "forger" troll

    D Herring wrote:

    > No; the idea is that, using the "six degrees of separation"[1], anyone
    > can construct a chain of trusted people between themselves and the
    > legitimate author.
    >
    > This personal link is required to defeat random groups of anarchists
    > (or individuals with multiple pseudonyms) who generate large
    > keychains. *Even governments are not to be trusted; they're
    > continually plagued by breakins (e.g. cracked gov server signing
    > certs), bribery, and forgery -- though the notary system does provide
    > a sufficient hurdle to discourage many abuses.


    Then should I ever feel the need for GPG or PGP, the notary system is the
    one one I may well use, especially as I have just moved from one Nation to
    another. The hassle with new driving licenses, etc., etc. proved to me just
    how difficult it is to prove who one really is, and how easy life would
    have been just to either 'drop off the radar' or become someone else!
    --
    Two Ravens
    "...hit the squirrel..."

  10. Re: to the "forger" troll




    jellybean stonerfish wrote:

    >I can't see your key. Why, if you are being forged and
    >such, do you not use one.


    I have been working 12-14 hours per day on a hot project.
    I need to carve out some time to set up a new newsreader
    that supports PGP and has good filtering.

    --
    Guy Macon




  11. Re: to the "forger" troll

    Guy Macon says:
    >jellybean stonerfish wrote:


    >>I can't see your key. Why, if you are being forged and such, do
    >>you not use one.


    >I have been working 12-14 hours per day on a hot project. I need


    It seems you have been working 12-14 hours a day on usenet. You
    could setup pgp trash in the time it takes to do one of these
    postings.

    >to carve out some time to set up a new newsreader that supports PGP
    >and has good filtering.


    We know somebody who will set it up for you. And they won't charge
    you much, neither. They'll send you your key through a secret email
    channel that neither the FBI, nor the CIA, know about yet.

    cordially, as always,

    rm

+ Reply to Thread