Re: About PGP Signing a File.

Jeff,

Jeffrey F. Bloss wrote:

Or even better... meet in person, demand three form of photo ID, and run
finger prints through NCIC/whatever. All in front of reliable, bondable
witnesses. <grin>

LOL!


This is why PGP/GnuPG are primarily data integrity tools and not proof
of authorship tools. Indeed most digital signature schemes can't be
used to reliably authenticate origin, just guarantee data hasn't been
tampered with. The more refined tools like GnuPG and PGP implement
methods of forming trusted relationships, but they are in general not so
robust and easily exploited. Certainly not to be relied on for any
mission critical work.

I don't think it is possible for someone to prove beyond doubt they are
who they say they are. I suspect even your example above is open to abuse.

It therefore becomes a question of degrees of trust. A document that has
been signed with a key that has also been signed by a number of people
increases that degree of trust, but as you say does not guarantee
authorship. A signature based on a key that has not been signed by
anybody is much less trustworthy.

There are other protocols which address identity in much more suitable
ways, although the "zero knowledge proof" problem has been a major
thorn in cryptographers' sides since cryptography was invented. ;)

I'd be interested to hear about other such protocols.

Regards,
Tony.
--
Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold@xxxxxxxxxxxxxxxx, H: http://www.man.ac.uk/Tony.Arnold

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users