[Enigmail] Robert Hansen's pop quiz

Billy O Clinton billyoclintonpgp at gmail.com
Wed Mar 12 21:29:50 PDT 2008 

Robert J. Hansen wrote:
> Pop quiz!  All answers must be justified.
> 
> 
> 
> Part 1: Basic Trust Skills (Short Answer)
> 
> Search for keya 0xFEAF8109, 0x5B0358A2 and 0xCCEC227B.  Answer these
> four questions for each key.
> 
> 	1.  Should you sign this key and make it valid?
> 	2.  Stipulate the key belongs to the person it claims, and that
> 	    the key is correct.  Should you now sign it?
> 	3.  Do you trust the person named in the key?
> 	4.  Should the answers to #2 and #3 have been the same?
> 
> 
> Part 2: Advanced Trust Skills (Short Answer)
> 
> 	1.  Do digital signatures create a trust relationship, or do
> 	    they only reflect an already-existing trust relationship?
> 	2.  Do digital signatures serve any purpose in the absence of
> 	    an already-existing trust relationship?
> 	3.  Should you know all the root authorities your operating
> 	    system trusts?
> 	4.  Why do you trust your OS vendor to decide which root
> 	    authorities are trustworthy?
> 
> 
> 
> 
> I would politely ask that people who can easily answer these questions
> hold off until Friday--let's let the newbies mull these questions over
> in peace.  :)
> 
> Man, I miss teaching Computer Literacy...  :)
> 

Part 1

0xFEAF8109: Unsure if I should sign this key. *Pretending* this key is
100% your key, I would sign the key "I have done casual checking". I
would not sign your key as "I have done very careful checking" because I
do not know you IRL, have not seen your actual ID, or at the least know
your voice to verify your public key fingerprints over the phone.

0x5B0358A2: What I wrote above would apply here in my reasoning.

0xCCEC227B: I would not sign, trust, or even send an encrypted message
to this user because their public key was revoked.

Part 2

1. From what I've read about digital signatures on Wikipedia, they seem
difficult to forge. So in this sense it simply creates trust between
exchanging users. I don't think these signatures reflect an already
existing trust-relationship because it is only another layer of
assurance between the parties; ie. what would be the point of digital
signatures if they only served a reflection of a trust relationship?
2-4: No idea.

-Bill
-----
MacOSX 10.5.2//C2D2.2+4GBRAM
Thunderbird 2.0+Enigmail+GnuPG1.4.8





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://www.mozdev.org/pipermail/enigmail/attachments/20080313/9582c5be/attachment.bin

More information about the Enigmail mailing list