[Cryptography] Thoughts about keys

Jeremy Stanley fungi at yuggoth.org
Wed Sep 4 23:24:08 EDT 2013

On 2013-09-04 13:12:21 +0200 (+0200), Ilja Schmelzer wrote:
> There is already a large community of quite average users which use
> Torchat, which uses onion-Adresses as Ids, which are 512 bit hashs if
> I remember correctly.
> Typical ways of communication in this community are "look for my
> torchat-id at forum example.net, I'm examplenick there."

You could do the same with OpenPGP keys too (look for my key at any
modern keyserver, I'm fungi at yuggoth.org there) but that misses the
possibility that in the future someone might upload a trojan key
claiming to be me and use it to sign and send them a spoofed
nefarious message, source code release tarball, git tag, whatever.
Handing them a copy of the key fingerprint gives them a means to
confirm the key they just pulled from the server is really the same
person who showed them a passport at the conference the month

If there's no way for anyone to impersonate examplenick at forum
example.net then, sure, maybe simpler... but that forum is probably
not a distributed, highly available, cryptographically-verifiable
pool of key distribution API servers either. 
{ PGP( 48F9961143495829 ); FINGER( fungi at cthulhu.yuggoth.org );
WWW( http://fungi.yuggoth.org/ ); IRC( fungi at irc.yuggoth.org#ccl );
WHOIS( STANL3-ARIN ); MUD( kinrui at katarsis.mudpy.org:6669 ); }

More information about the cryptography mailing list