Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
On Fri, May 02, 2003 at 04:43:16PM -0500, Mark Rages wrote:
> On Fri, May 02, 2003 at 04:34:41PM -0500, Matthew Ross wrote:
> > Can't those with a copy of his public key just include his public key in their
> > fraudulent message "from him"?
>
> As I understnad it, it is hashed against the message contents, so if you change the
> message it will not work.
Actually, if you take an attached public key as gospel, you've just broken anything
encryption gives you. I can say "Please transfer all of my money to Scott.", forge
the headers to be from Mark Rages, sign with a private key generated by me in the
name of Mark Rages, and attach the associated public key. Now if you check the
signed messages against the attached public key, it validates that in fact
Mark Rages sent the message. Key distribution is still the bigfoot of cryptography.
There are a few ways to distribute keys reasonably securely (web of trust comes to
mind), but it is a large problem. This is why I feel if encryption/signatures are
needed, you probably should either arrange for a face-to-face meeting or a secure
courier to drop off the keys, whether assymmetric or symmetric. Of course since
I just put a link to my homepage with my GnuPG key on it, I don't take my insane
wailing very seriously. Thank Dr. Bill Banks's crypto class for that lesson :).
--
Scott Hussey
http://www.lcl.lib.mo.us/~scott (Get GnuPG key here)
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact