interesting....
Out of context: Reply #3
- Started
- Last post
- 35 Responses
- monokrom0
"However, signatures and webs of trust do not guarantee trustable keys. For example, when Bob and Alice first met Cathy, lets say that a friend of Cathy's, Donald, had been with Cathy. Donald could have generated fake key pairs for Alice and Bob, signed them with his key and signed both pairs of keys with the other pairs resulting in three signatures on each key and sent them to Cathy. Cathy would be facing a series of bad keys and signatures. How could key signing help Cathy resist such an attack? Well, let's say that all the people involved where exchanging keys through a key server. If Cathy searched the key server for Alice and Bob's keys, she'd find two sets for both Alice and Bob. If Alice and Bob collected twenty key signatures at the keysigning party, it's obvious that Cathy can better trust the public keys signed twenty times than the ones signed only three times. Cathy should know something's up from the existence of the extra public keys - so she can look for closely at the generation dates and the trust web behind the public keys. The twenty keys from the party signatures should all be signed twenty or more times and have widely varying generation times, most likely all the keys which signed Alice and Bob's keys where also signed by other keys. That would not be the case if Donald had generated twenty faked key pairs and generated a faked web of trust."
http://www.cryptnet.net/fdp/cryp…
Don't sleep !