[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] PGP and Signed Messages,

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] PGP and Signed Messages,
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Fri, 19 Feb 2016 06:10:58 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 19 Feb 2016 08:11:18 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1455887464; bh=V+HtzdrGor3L6uQbuHXUoK25PcZbYU9P/lWpol3ecTg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=AgnXwc6WJxc6ThqUAmI9Xhl6k/qKLdHDHS37QCnX4pvp+Zks75EWsRb+8rK+ZWvhD xyUHZ8SkAEav5b2ktUmS8e4pqvEPpxYFAqHBA23YEekMewuNHodgPtiDVnZgS5is6W 7ps43dgggpb1JVlyIh879YGtTsPuM1+CXrzdOu2E=
In-reply-to: <CAD--ZDVZECJ+gcx5MF51VTJ97pMzzROSVrDmpR7L1F-_hOF1OA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CAD--ZDVZECJ+gcx5MF51VTJ97pMzzROSVrDmpR7L1F-_hOF1OA@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/19/2016 05:34 AM, Nathaniel Suchy wrote:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt
> or sign a message. However how do we know a key is real? What would
> stop me from creating a new key pair and uploading it to the key
> servers? And from there spoofing identity?

Yes, you could create a key with user ID mirimir (mirimir@xxxxxxxxxx).
And you could share it with others, pretending to be me. But email to
mirimir@xxxxxxxxxx goes to me, not to you, and I'd be unable to read
it. So I'd probably reply, attaching my public key. I could also
download the fake key, and alert the sender.

But Riseup could do that, and also filter out messages going to their
fake key. Adversaries that could MitM Riseup's connections with other
mailservers could also manage that.

But correspondents who bothered to check https://keybase.io/mirimir
could determine whether or not they have the right key for me. In
order to change keys, an adversary would need to make coordinated
changes to four online accounts and the VM that I'm using. Possible?
Sure. But not so easy.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJWxxReAAoJEGINZVEXwuQ+63kIAMk9S4gWczEPMKt1aJQF0+ev
EnNxyExKaWOBWRoCJst7NUdVtr/vwh4mu29p6fsOrEHP+h/BfwLHaHqKgO+KJGE/
QxMgWcoUUh0rHkk5kRaosGFheJ2J94cVwL0XXoTXFVUwDKJ+XUvVQmEY4AKVSdAg
vc99/IZ23qxP4MKwSqcYPOsdPUCR4v4J5EKWqCMZdqnFOpQI36b0f2Q82iPh8Xfv
qA1rOl6Kogx1gL992mNJ/4NRaZUFK40/QEubTyxAKi2/XzYUu6cjcEtyitoByc7V
lWEW11yztYW8mUm8LdVQUNT7kJU+wc+GMCdVO3UAINy4Cg/yuuBh3EP7QwaPOfo=
=UdyX
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] PGP and Signed Messages,
  - From: Nathaniel Suchy

Prev by Author: Re: [tor-talk] automatic Tor browser updates
Next by Author: Re: [tor-talk] Large spike in .onion addresses - port scan?
Previous by thread: Re: [tor-talk] PGP and Signed Messages,
Next by thread: Re: [tor-talk] PGP and Signed Messages,
Index(es):
- Author
- Thread