[H-GEN] Key-signing at Humbug: Saturday, 1st March 2003

Robert Brockway robert at timetraveller.org
Mon Feb 24 07:44:01 EST 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Mon, 24 Feb 2003, Raymond Smith wrote:

> [1] These summaries are known as digests in the literature.
> [2] There are many others: use SneakerNet to physically copy the Public
>     Key from a secure computer; retrieve the Public Key from a central,
>     secured authority; have your system configured with a number of
>     'known good' Public Keys which are then used to establish a hierarchy
>     of trust (this is how SSL Certificates work in Web Browsers)

Yes, and I am endlessly amazed at how these 'known good' Public keys came
to be 'known good'.  In some cases the companies involved just set
themselves up as Root Certificate Authorities, declared themselves to be
trustworthy and started selling signed certificates.  They had to acquire
a business relationship with browser manufacturers to be sure of inclusion
of course.  These business relationships would typically involve the
movement of money (of course) which further weakens the independence of
the Root Certificate Authorities as far as I'm concerned.

I've dealt with these companies before and have not always been convinced
that they make sufficient investigation into establishing the legitimate
existance of companies before issuing signed certificates.

Having said this, I do use https often and have passed credit card details
over the net many times.  There are 2 caveats though:

1)  I would normally only pass my credit card details to a company that I
    know exists.  In this case I am using SSL/TLS to authenticate the
    company's web server and encrypt my session but I am not relying on
    the web of trust to establish the company's existance as I have
    personal knowledge of it.  This requires me to be convinced that the
    Foobar Inc I know is the same Foobar Inc I'm communicating with via
    https.

2)  I religiously review my account statements and have queried numerous
    transations with my credit union.  To date all have been legitimate.

> [3] Of course, Mark Suter himself requires no authentication as he is
>     inimitable. :-)

Does this mean Mark is self signed? :)

> [4] A bloody stupid name IMNSHO - it does not express the gravity of
>     signing a Public Key.

Agreed.

> [5] It should be noted that you should be convinced of the other persons
>     authenticity. If you have a shadow of a doubt, don't sign their key.

Agreed again.  I suspect social pressure is a problem here though - many
people might feel uncomfortable declining to sign the key of someone they
know socially but can't verify the identity of.  I hope everyone has read
the instructions and brings along two forms of photo ID.

> [6] with emphasis on the F.

I've enjoyed replying exclusively to your footnotes.

Rob

-- 
Robert Brockway B.Sc. email: robert at timetraveller.org  ICQ: 104781119
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list