[Enigmail] From offlist
Phil Stracchino
alaric at metrocast.net
Tue Mar 3 18:26:40 PST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Robert J. Hansen wrote:
> You send them an email and ask for their key. They email it back to
> you, and you import it to your local keyring. It's possible for a
> malicious attacker to have replaced the public key your correspondent
> sent you with a public key of the attacker's choosing, though -- what we
> call a Man In The Middle attack -- so it's important to verify that you
> received the correct key. The usual way to do this is to contact your
> friend by some method other than email and ask them for a fingerprint of
> their key. If the fingerprint they give you matches the one you find by
> looking at your copy of their key, then you have the correct key.
Barring, of course, the extremely unlikely case of fingerprint
collisions, by chance or design. If you're being attacked by someone
with enough savvy and processing power to engineer a by-design key
fingerprint collision more or less in real time, the odds are you're
already completely screwed anyway, so there's relatively little point in
worrying about it.
- --
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkmt5uAACgkQ0DfOju+hMkk/cACfR2XGhI5Ci+R2CVHHVS110RlD
SkEAn18f1ME0OXvrOqrSaLSdcudtYUiN
=ou+4
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list