[H-GEN] Key-signing at Humbug: Saturday, 1st March 2003

Christopher Biggs listjunkie at pobox.com
Tue Feb 25 00:05:53 EST 2003


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Robert Brockway <robert at timetraveller.org> moved upon the face of the 'Net and spake thusly:

>>
>> Of course, everyone's key should be self-signed.  Right?
>
> In my experience that term usually refers only to a Root certificate.  So
> if you self sign you are setting yourself up as a root CA.
>

With PGP the purpose of self-signing your key is to prevent somebody
else coming along and adding an additional user-id to your key; if
your existing IDs are self-signed, that new user-id would be un-signed
and would stand out from the existing id(s).

eg. I could get your key off the keyservers, grab myself a disposable
email account as "robbrockway2112 at hotmail.com", add that address to
your public key, and upload your modified key to the keyservers.  This
may cause people to send messages to the hotmail account instead of
your real account, and gives me a limited ability to pose as you
(although I would be unable to generate valid signatures or decode
encrypted messages).

This is a denial of service attack, and a mild form of identity theft.

--cjb


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/



More information about the General mailing list