[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Digital signatures

on 7/12/2007 9:23 PM, Les wrote:
> On Thu, 2007-07-12 at 19:02 -0700, David Boles wrote:
>> on 7/12/2007 6:29 PM, Tim wrote:
>>> On Thu, 2007-07-12 at 10:01 -0700, Les wrote:
>>>> I am starting this thread because I see many folks signing their
>>>> emails with a digital signature. 
>>> I don't see a problem in someone posting a signed message.  I do see a
>>> problem in beleiving that they are who they claim to be.  There isn't
>>> any verification done, it's self-signed (self created).  I've yet to
>>> find *any* GPG/PGP key that was counter-signed by another person, let
>>> alone one that was counter-signed by someone I trust.
>>> I think that is a glaring omission when it comes to RPM packages, or
>>> even notices about updates.  Nevemind e-mails.
>> There is a better chance of me being 'me' than there is of you being
>> 'you'.  ;-)
>> Websites are signed, they have certificates, as well as packages are
>> signed by distributions. I would much rather trust a package signed by
>> Fedora than I would one without a signature. Or one that I do not know.
>> If you, for example, used Gnupg as I do you and I could actually send
>> private emails. Ones that only you and I can read. Since every server
>> keeps a copy of everything that you post, not just you but everyone, just
>> about anyone can read what you write.
>> Kinda' makes you feel naked doesn't it?  ;-)
> Websites were signed with 64 bit and 128 bit encryption, also, and the
> results of that are why we are seeing 256 and 1024 bit schemes proposed
> and used.  
> Assymetric encryption (PGP stuff) means that there are two keys, derived
> from the original design, through either a geometric or exponential
> process.  Encryption itself can be viewed as noise in the communications
> channel obscuring the signal.  Several forms of attack are based upon
> that.  Assymetric processes simply add more noise, but if geometric
> based the noise has a specific characteristic.  Now I cannot break such
> encryption schemes, but I can see that there should be means available,
> just not in the traditional sense of breaking a code.  I can visualize
> several forms of attack, but that is for another forum.
> My question here is how safe is the process, and how do you implement it
> personally to ensure it is safe?  Moreover, can you estimate the risk
> being taken with the information.  Is it safe for a year, a day or a
> century, given the resources available today?  Is the process by which
> the keys are distributed and used available to anyone, and can they be
> falsified, and would falsification reduce the security of the process?
> Where are the instructions available for implementing the process.  For
> example, David, your messages give me the warning Valid signature,
> cannot verify sender.
> So if this is the case, how could I trust your signature in a vital
> situation.  In the case of double encryption, as in the case of "shared
> secrecy" for PGP, how secure is the result?  And how was that
> determined?  Today, teraflops on the desktop are a reality, and the big
> guys are into thousands of petaflops (whatever the next designator might
> be.  My feeble brain quit counting at peta.)
> Also if parallel attacks several tens of thousands wide are attempted,
> how secure it the information and for how long?  If a new view of
> decryption comes along, what will become of the algorithm and how will
> we know when it is broken?  What if I used something like n-dimensional
> ffts against a noise added attack, would the key and data break apart
> like virus attacked dna?
> But to keep it simple here, is there somewhere a guide that gives step
> by step what do do to ensure the following:
> 	1. you can use pgp signatures in both sending and receiving email.
> 	2.  Instructions for implementing, posting and using your own
> signatures.
> 	3.  the means of generating shared secret posts.
> 	4.  what to do if you discover that your signature and encryption is
> broken.
> 	5.  some estimate of the safety of the algorithms used.

This is not some 'password' that I picked out of my past. Dogs name.
Mother's maiden name. My key was created with 1024 randomly generated

Tell you what I will do Les.

This is really stupid but just to prove a point. You don't have a key. If
you did, and I used you public key for this, you could read what I am
going to send to you because that is the way this works. Privately of
course. I won't trouble the list with this. Something really simple, easy
to find, better yet some that I *know* that you are familiar with, or
should be. No tricks. But Encrypted with my key and a friends public key.

When you decode it you post the results here. Honestly. I will admit it if
you can do that. take as long as you like but do keep us posted over the
weeks of your progress.  ;-)


Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]