Keysigning...

I've been reading about keysigning parties today, and trying to study about OpenPGP (which uses a so-called "web of trust" and S/MIME (which uses "certificate authorities"). S/MIME is simpler to use and it's top-down. You get an official company to vouch that your cryptographic key (your certificate actually) really belongs to someone with your name and email address. With OpenPGP, it's other OpenPGP users who vouch for you. Keysigning parties are where you get together in person with other PGP users and sign each other's certificates.

I'm looking at the issue from an identity point of view, and not from a security point of view.  I haven't figured out why there's no mention of signing each other's certificates online.  If I know someone via email and/or IM, when can't I run a little utility program on my computer that validates someone else using email or IM?  The cryptographic theory is that the "Jim Smith" I know over email might not actually be named "Jim Smith" in his own warm and breathing flesh. (Like I care). So in theory, I have to meet them in person.  Of course, meeting them in person doesn't guarantee they aren't D. B. Cooper with a fake ID. "But hey," (the crypto-wonks say) "it's a guarantee that your security hasn't been compromised by a man-in-the-middle attack."

The vast majority of us aren't important enough for anyone to scam us in that way.  If you tell your buddy that you're going to be out of town over the weekend, and you use an unsecured IM channel to tell them that, then it's pretty unlikely someone is going to eavesdrop on you and use that information to rob your house.  Unless you're Bill Gates.

So can someone explain it to me?  Wouldn't OpenPGP be much more successful if you could trust people that you met online?  After all, you're not vouching for their credit rating or anything, you're just verifying they are a "real" person who answers to some specific name and email address.

Comments:

>If you tell your buddy that you're going to be
>out of town over the weekend, and you use an
>unsecured IM channel to tell them that, then
>it's pretty unlikely someone is going to
>eavesdrop on you and use that information to rob
>your house.


Back around '97 or so, the ISP I used was hacked hardcore and before it was found out they hit my box because they found me on an IRC network I helped with. The ISP found out they where hacked after I stopped by to talk to the admin about what to do about protecting my poor slackware linux box better at the time as someone hacked into it and did a lovely rm -rf /etc on it and just killed it. Mind you I was just out of high school at the time and learning linux without any help and trying to figure it out. Heck, I'm still learning more then ever for that matter, this industry is a never stop learning beast.

The folks who hacked the box did in fact go through emails, sending emails back depending on the context of the emails they found and in fact tried to get money off folks doing some rather uncool things online. Needless to say, it can happen if the past is any indication, and I would say the odds of it happening are becoming more and more in the world of extortion to gain capitol. You might not care about Joe Blow, but the money he might pay you off to be quiet about stuff you find out related to their personal life, or business, might be reason enough for folks to attempt it.

Posted by Jeffrey Olson on February 05, 2006 at 11:06 PM PST #

Post a Comment:
Comments are closed for this entry.
About

Chris Quenelle

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today