[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Digital signatures

On Thu, 2007-07-12 at 19:02 -0700, David Boles wrote:
> on 7/12/2007 6:29 PM, Tim wrote:
> > On Thu, 2007-07-12 at 10:01 -0700, Les wrote:
> >> I am starting this thread because I see many folks signing their
> >> emails with a digital signature. 
> > 
> > I don't see a problem in someone posting a signed message.  I do see a
> > problem in beleiving that they are who they claim to be.  There isn't
> > any verification done, it's self-signed (self created).  I've yet to
> > find *any* GPG/PGP key that was counter-signed by another person, let
> > alone one that was counter-signed by someone I trust.
> > 
> > I think that is a glaring omission when it comes to RPM packages, or
> > even notices about updates.  Nevemind e-mails.
> There is a better chance of me being 'me' than there is of you being
> 'you'.  ;-)
> Websites are signed, they have certificates, as well as packages are
> signed by distributions. I would much rather trust a package signed by
> Fedora than I would one without a signature. Or one that I do not know.
> If you, for example, used Gnupg as I do you and I could actually send
> private emails. Ones that only you and I can read. Since every server
> keeps a copy of everything that you post, not just you but everyone, just
> about anyone can read what you write.
> Kinda' makes you feel naked doesn't it?  ;-)
Websites were signed with 64 bit and 128 bit encryption, also, and the
results of that are why we are seeing 256 and 1024 bit schemes proposed
and used.  

Assymetric encryption (PGP stuff) means that there are two keys, derived
from the original design, through either a geometric or exponential
process.  Encryption itself can be viewed as noise in the communications
channel obscuring the signal.  Several forms of attack are based upon
that.  Assymetric processes simply add more noise, but if geometric
based the noise has a specific characteristic.  Now I cannot break such
encryption schemes, but I can see that there should be means available,
just not in the traditional sense of breaking a code.  I can visualize
several forms of attack, but that is for another forum.

My question here is how safe is the process, and how do you implement it
personally to ensure it is safe?  Moreover, can you estimate the risk
being taken with the information.  Is it safe for a year, a day or a
century, given the resources available today?  Is the process by which
the keys are distributed and used available to anyone, and can they be
falsified, and would falsification reduce the security of the process?
Where are the instructions available for implementing the process.  For
example, David, your messages give me the warning Valid signature,
cannot verify sender.

So if this is the case, how could I trust your signature in a vital
situation.  In the case of double encryption, as in the case of "shared
secrecy" for PGP, how secure is the result?  And how was that
determined?  Today, teraflops on the desktop are a reality, and the big
guys are into thousands of petaflops (whatever the next designator might
be.  My feeble brain quit counting at peta.)

Also if parallel attacks several tens of thousands wide are attempted,
how secure it the information and for how long?  If a new view of
decryption comes along, what will become of the algorithm and how will
we know when it is broken?  What if I used something like n-dimensional
ffts against a noise added attack, would the key and data break apart
like virus attacked dna?

But to keep it simple here, is there somewhere a guide that gives step
by step what do do to ensure the following:
	1. you can use pgp signatures in both sending and receiving email.
	2.  Instructions for implementing, posting and using your own
	3.  the means of generating shared secret posts.
	4.  what to do if you discover that your signature and encryption is
	5.  some estimate of the safety of the algorithms used.

Les H

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]