Digital Signing (Beat The Dead Horse) was Re: Free Software for m$

Randy Kaelber plug-discuss@lists.plug.phoenix.az.us
Wed, 25 Sep 2002 14:12:51 -0700 

William Lindley wrote:
> 
> So the bottom line is, if I receive a signed message, it will take fifteen
> minutes wandering around the web to see if I can maybe find something that
> authenticates it.  Assuming that web page hasn't been redirected or
> otherwise hijacked... which I have no way of knowing.

Hypothetical:  I somehow manage to hijack the MIT public keyserver
(probably the best one known).  Now, I have to somehow generate a new
key for you to put on my pirate keyserver, fake signatures onto them
from other signatories, all on the hope that I can fake a signature from
you to someone on the off-chance that they don't already have your
public key.

With that said, you don't trust a public key where you haven't validated
the identity of the person sending it to you (and the fingerprint of the
key), or if the key itself isn't signed by anyone you know.  Once you
have done this (one time only!), you now have a secure means of
encryption (reading by unauthorized people), authentication (this
message is from who it says it is) and verification (the message hasn't
been changed in transit).  Sure, I can always get someone's secret key
by judicious use of rubber hoses and electric shock, but short of that,
it's reasonably secure.

Frankly, signing a public message is something less for the receiver and
more for the sender.  Supposing someone hacks my ISP and fakes an email
from me containing a death threat, leaked confidential data, etc.  If I
am known to sign my messages with a digital signature,  they can fake
mail that looks like it comes from me, but they can't fake the
signature.  If I am in the habit of signing every public post with a
digital signature, the message is automatically suspect.  I'll leave the
plausible deniability argument of intentionally posting some stuff
without a signature alone for the moment.

> 
> Obviously we all need Trusted Computing!  (gag)

<sarcasm>Well there's a productive attitude.</sarcasm>

Nobody's asking you to use it, but you shouldn't you badmouth those who
do.  If you've got a better method for secure communications and
authentication, the world would really like to hear it.

-- 
Randy Kaelber                                       
Randy.Kaelber@asu.edu
Software Engineer  
Mars Space Flight Facility, Department of Geological Sciences
Arizona State University, Tempe, Arizona, USA

"Anarchy is the sure consequence of tyranny; for no power that is not
limited by laws can ever be protected by them." - Milton