[Enigmail] New to Enigmail and having a question about the validity of signatures

Bernard Tasker bjtasker at btasker.me.uk
Thu Mar 13 03:57:58 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

My attempts:

Part 1
I will be interested to know how to answer your question properly but as
I understand it I should not sign any keys where I am unable to confirm
identities properly.  I "know" Robert and Patrick through this and other
lists, but as far as I know I have not had any contact with Werner.

As I would not ask any of these gentlemen to sign my keys, as they do
not know me sufficiently to confirm my identity, I am not in a position
to sign theirs

Part 2

1. Digital signatures do not create a trust, but rather confirm a trust
that already exists, or has been established.

2. Digital signatures that are not "trusted" have a use in as much as
they can confirm consistency i.e. all messages come from the same
source, but nothing stronger.

3 and 4 Not sure I really understand this, except there is nor reason to
trust OS vendors.

Please forgive me if I am missing the points - I am an older person,
after all, who was brought up in the fifties on nothing more
technologically advanced than log tables and slide rules; what little I
know about computing is self taught!

Bernard




Robert J. Hansen wrote:
> (bcc'd to a couple of friends who are not on the Enigmail list whom I
> feel may be interested in the subject.)
> 
> Luke Chen wrote:
> | There doesn't seem to be a central Certificate Authority for validating
> | the public keys. How do I know if I can trust the signature from a
> | particular address?
> 
> This is an excellent question, and one that does not get asked enough.
> It also has the potential to give us a much-needed boost to our
> signal-to-noise ratio!  :)
> 
> I'll answer it first in anecdotal form, and then in a just-the-facts
> form.  After that there will be a pop quiz for the newbies.  The purpose
> here is not, _is not_, to make anyone feel dumb or stupid--it's only to
> get people thinking critically about the issue.  :)
> 
> 
> 
> =====
> 
> I have a friend whom I have known online and offline for a few years
> now.  In the course of knowing him I've accumulated evidence that he's
> being honest about his name.  I believe his judgment is generally good
> and he has personal integrity.  I make a personal decision to trust him
> not to screw me over.  I call him and have him verify his key
> fingerprint.  Now that I am assured I have his key, I sign it and make
> it valid for me.
> 
> That signature reflects three distinct judgments:
> 
> 	1.  He really is who he says he is
> 	2.  I can trust his character
> 	3.  I have a correct copy of his key
> 
> Now when I receive mail claiming to be from him, if I get a good
> signature on the message I can be confident that the message is
> authentically from him.
> 
> I have also discovered his signing policy is at least as stringent as
> mine.  He will not sign a key of someone whose identity he has not
> confirmed, or a key of someone he does not trust to deal fairly.  After
> reflecting on this for a while, I determine that not only do I trust him
> to deal fairly with me: I trust his judgment in the people he trusts to
> deal fairly with /him/.
> 
> In real life, if he asked to borrow my car, I'd shrug and fish out my
> keys.  If his Significant Other asked, I'd shrug and fish out my keys,
> too... while I barely know her, he trusts her and I trust his judgment,
> so I don't see why I shouldn't let her borrow my car.
> 
> Similarly, if someone whose key he signed were to send me a
> correctly-signed email, I would want it to show up as a good signature.
> ~ The same logic applies.  Once I realize this, I set his key up as a
> trusted introducer.
> 
> ======
> 
> "How do I know if I can trust the signature from a particular address?"
> 
> 
> 	1.  Are you confident the name on the key corresponds to a real
> 	    person?
> 
> 	2.  Are you confident the person in question is not trying to
> 	    trick you?
> 
> 	3.  Are you confident you have a true copy of this person's key?
> 
> 
> ... If the answers of 1-3 are "yes", then sign with confidence and send
> your signature to the server.  If any of them is "I don't know", then
> you may wish to give a local signature--a signature which exists only on
> your keyring, which cannot be shared with others.  If any of them is
> "no", then _do not_ sign or locally-sign the key.
> 
> Once you have signed or locally-signed the key, you may wish to consider
> the fourth question:
> 
> 
> 	4.  Do you trust this person's judgment and reliability when it
> 	    comes to checking other people's keys?
> 
> ... If the answer to 4 is "yes", then give a trust signature with
> confidence.  If it's "I don't know" or "no", then don't.
> 
> =====
> 
> Pop quiz!  All answers must be justified.
> 
> 
> 
> Part 1: Basic Trust Skills (Short Answer)
> 
> Search for keya 0xFEAF8109, 0x5B0358A2 and 0xCCEC227B.  Answer these
> four questions for each key.
> 
> 	1.  Should you sign this key and make it valid?
> 	2.  Stipulate the key belongs to the person it claims, and that
> 	    the key is correct.  Should you now sign it?
> 	3.  Do you trust the person named in the key?
> 	4.  Should the answers to #2 and #3 have been the same?
> 
> 
> Part 2: Advanced Trust Skills (Short Answer)
> 
> 	1.  Do digital signatures create a trust relationship, or do
> 	    they only reflect an already-existing trust relationship?
> 	2.  Do digital signatures serve any purpose in the absence of
> 	    an already-existing trust relationship?
> 	3.  Should you know all the root authorities your operating
> 	    system trusts?
> 	4.  Why do you trust your OS vendor to decide which root
> 	    authorities are trustworthy?
> 
> 
> 
> 
> I would politely ask that people who can easily answer these questions
> hold off until Friday--let's let the newbies mull these questions over
> in peace.  :)
> 
> Man, I miss teaching Computer Literacy...  :)
> 
_______________________________________________
Enigmail mailing list
Enigmail at mozdev.org
https://www.mozdev.org/mailman/listinfo/enigmail

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkfZCLYACgkQqPQ3uX5O/PdYbACfS5V+7Dy8TTifaRfTz6X+3f+C
IYwAn2m60LaJrne4HF6grOVf5SPjdXN1
=Jp0E
-----END PGP SIGNATURE-----

More information about the Enigmail mailing list