[ale] PGP/GPG Keysigning party! ALE Central November 19th.
Greg Freemyer
greg.freemyer at gmail.com
Wed Oct 28 11:37:53 EDT 2009
On Wed, Oct 28, 2009 at 10:57 AM, Michael B. Trausch
<mbt at zest.trausch.us> wrote:
> On Wed, 2009-10-28 at 10:41 -0400, Jim Lynch wrote:
>> I for one would like to know exactly what this activity is good for.
>> I
>> understand that one of the uses of these keys is to be sure an email
>> is from who you think it is. Exactly what activities are you guys
>> involved in that require that level of security? Obviously you are
>> doing something other than sending responses to the various
>> questions/issue on this list.
>>
>> I'm not criticizing, just very puzzled 'cause I have no real idea of a
>> practical use for this level of security.
>>
>> Thanks for the enlightenment.
>
> GPG signatures are good for the case where you want to see if the
> message was altered in transit. However, where they really shine is
> encrypted communications. Everything you write on the Internet and send
> by way of HTTP (not HTTPS) and email (which is inherently insecure) is
> sent in plain old, very readable and modifiable text.
>
> Here's an example.
>
> Imagine that you're writing to a friend to tell her what you're getting
> for various members of her family. Now, imagine that I am her husband,
> and I control that network, and that I am a nosy bastard. Your message
> is probably screened through some program and I see it and read it. I
> can also modify it; she'll never know.
>
> Imagine the same situation, but instead, I work for her ISP and am not
> her husband. I can see the message as it passes through my network,
> optionally logging it and reading it later should I choose to do so. In
> fact, I have no reason to believe that ISPs don't already do this with
> unencrypted communications. After all, they're the prime points of
> interception on this great big network. They can intercept, modify, and
> then deliver the message---without detection.
>
> Now, imagine that I am the President. (That ought to be good for a
> laugh.) I sign an Executive Order compelling some random other entity
> or person in the government to begin collecting and analyzing all
> plaintext traffic on the Internet and logging it and attributing it to
> those who wrote it, watching for bad behavior and being the Big Brother
> we all don't want to have power. (They already do some form of this
> already, actually, or at least they did.) If it becomes convenient they
> can compel an ISP to cooperate and intercept messages so that the
> government can modify them and send the modified versions to their
> recipients. If messages carry OpenPGP signatures, this is not possible
> (well, not likely*) and the government cannot insert itself into the
> dialogue. With encryption, the government cannot even see what is being
> said. Same goes for the ISP, or that pesky nosy neighbor that is on the
> same cable network as you are and is snooping around the node for
> anything that looks to be "interesting".
>
> --- Mike
I get all of the above by pulling your public key from a key server
and using pgp.
The purpose of a signing party is to allow me to have confidence that
the "Michael B. Trausch" whom is part of ALE is the same person that
has a key on the key server.
Like Jim, I'm not sure I need that for very many of the ALE'ers.
And for the few I might need that for I can call them and say, "I
pulled your public key from the key server, can you send me a pgp
encrypted email so I can verify the public key I have is actually
yours".
So, my question is not "What is pgp good for?". My question is "What
is a key signing party good for?"
Thanks
Greg
More information about the Ale
mailing list