Email address challenge script for KMail
Sebastian Stein
s5228 at informatik.htw-dresden.de
Mon Aug 25 13:12:03 CEST 2003
Ingo Klöcker <kloecker at kde.org> [030825 12:02]:
> The email address ingo.kloecker at gmx.de doesn't belong to me but to
> another Ingo Klöcker (who even happens to live only about 20 km from
> me). Unless you'd checked all my email addresses you'd all blindly sign
> this user id if I had added it to my key.
>
> After a considerable number of people have signed this user id I could
> cause a lot of confusion by sending email addresses with From: ingo.
> kloecker at gmx.de and signed with my key to people who know the other
> Ingo.
I think this is not true. If you add an userid to your key (gpg --edit-key
-> adduid) you have to enter your passphrase, because you are editing your
key. So if you add the email address of the other guy to your public key, it
is your fault.
Please test the signature of my last mail. I've sent it over
s5228 at informatik.htw-dresden.de, because I'm subscribed to this list with
that address. My gpg public key doesn't contain this uid, but you are able to
verify the signature, because of the ID in the signature and not because of
the email address I used.
In the end email address could never be something unique, because it is very
simple to fake an email address. The verification has always to be done over
the ID!
Steinchen
--
PGP-ID: 0x9695F25F
Fingerprint: D5DA A954 D16B 09E2 005A A065 AB10 3028 9695 F25F
Public Key: http://www.hpfsc.de/download/steinchen.asc
Keyserver: www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/novehrady/attachments/20030825/2d6926f4/attachment.bin
More information about the NoveHrady
mailing list