Delivery-Date: Fri, 19 Feb 2016 07:45:37 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id CEA291E0BD1;
	Fri, 19 Feb 2016 07:45:35 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id F1AD4397B6;
	Fri, 19 Feb 2016 12:45:30 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id BB8BE397C0
 for <tor-talk@lists.torproject.org>; Fri, 19 Feb 2016 12:45:27 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Vq387cHsQhLL for <tor-talk@lists.torproject.org>;
 Fri, 19 Feb 2016 12:45:27 +0000 (UTC)
Received: from mineralwasser.veloc1ty.de (mineralwasser.veloc1ty.de
 [IPv6:2a01:6f0:ffff:7e:dead:beef:0:3])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 8782039721
 for <tor-talk@lists.torproject.org>; Fri, 19 Feb 2016 12:45:27 +0000 (UTC)
Received: from [192.168.0.76] (rkom.r-kom.de [212.77.162.22])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: hello@veloc1ty.de)
 by mineralwasser.veloc1ty.de (Postfix) with ESMTPSA id 71EA62A00EF
 for <tor-talk@lists.torproject.org>; Fri, 19 Feb 2016 13:45:23 +0100 (CET)
To: tor-talk@lists.torproject.org
References: <CAD--ZDVZECJ+gcx5MF51VTJ97pMzzROSVrDmpR7L1F-_hOF1OA@mail.gmail.com>
From: Josef 'veloc1ty' Stautner <hello@veloc1ty.de>
X-Enigmail-Draft-Status: N1110
Message-ID: <56C70E62.10206@veloc1ty.de>
Date: Fri, 19 Feb 2016 13:45:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAD--ZDVZECJ+gcx5MF51VTJ97pMzzROSVrDmpR7L1F-_hOF1OA@mail.gmail.com>
Subject: Re: [tor-talk] PGP and Signed Messages,
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1024933824319893708=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1024933824319893708==
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="nfkFOkbcff3irUvCh1gvMh8gGtNfIS6Gk"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nfkFOkbcff3irUvCh1gvMh8gGtNfIS6Gk
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Hi,

this is a basic problem of PKI - is the key the correct one to use.
There is nothing to stop you from copying for example my key
information. That's why you need to check the received key over another
channel. For example I put my fingerprint on my website and it's also on
my business card.

A second way is looking at the signatures from other users thus it's not
the best method for validating an identity.

~Josef

Am 19.02.2016 um 13:34 schrieb Nathaniel Suchy:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt or =
sign
> a message. However how do we know a key is real? What would stop me fro=
m
> creating a new key pair and uploading it to the key servers? And from t=
here
> spoofing identity?



--nfkFOkbcff3irUvCh1gvMh8gGtNfIS6Gk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWxw5iAAoJEJwnwQ9o0JmHM6EQAIgmRlPuPD0NPNTEiAUJCKNe
NodxDEZbMW5me+N6usTSmr8vVyq6QZ0kw0YM2NCufQ4JL9XXzKarCStENtZDopfJ
D+Ia4wQSyw37eGmYEnHeFs3Bp/MP7hf1Pbl0ZY8exTliCx7uDqz8Rbs/MFK64sJC
imNUF09C1HrzcWA9yLgp7qy1HtLXDT9vH0XTd/yJRwOIs7btWUyeApXzui3IfGx/
rNq5noaJp4vJCuowTm+Q+AJ18QdWwvtxptGPrl7alevBcyKH2ypLlEQ60KXjweuZ
4Q/ZiPKQsIBj6Z3HdEo0v8I3XfYAGdjI3WHPETVy+cSxLYl6aoKnyvlxLzJgvZqX
6TWyOLXD9tr8THJ9MdErqfEyVjOokeCPCUYrzplta/Su9Fs3pHTrE6abPCP+lyGH
3PApZi0WJfI5z72+Ii4xRHcEJMcf7Hw6uH0iUhQO1scC6fsMuU6CY7OpX4XWyiH5
X+h50PEsyn/NLg6LXNgNasXRhoSfZULFQ/f+kBIlcjFb7SMETrRJ71CB31gicIbs
XeZbXEaPgGYDFOIsP+qf8mlItHJ2F+k46NSUKwL2a4R2vBAjP4Ash0Paz3LoQgrM
1FoKhPZJraFU1/6ukqhKSKxSCvawisTpAq76l8koeaAAYYN4sRWcMpKJfVCLmi37
lHS6NDgA62E/9CKxA8oH
=Gomj
-----END PGP SIGNATURE-----

--nfkFOkbcff3irUvCh1gvMh8gGtNfIS6Gk--

--===============1024933824319893708==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============1024933824319893708==--

