Mailscanner Update

MailScanner mailscanner at SMITS.CO.UK
Tue Mar 9 13:12:32 GMT 2004


How do I know the private key and passphrase are yours and not generated
by Joe Cracker under a pseudonym of Julian Field? I cannot verify
remotely that any of these are physically held by you. The only way I
can trust your PGP key is through you verifying its hash in person or
through the trust of a mutual contact that I know has done so. 

In the mean time I'd rather trust that Southampton University has a
reasonable security policy and will not allow unauthorised access to its
HTTP servers ;-)

Bart...



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Posted At: 09 March 2004 12:15
Posted To: MailScanner
Conversation: Mailscanner Update
Subject: Re: Mailscanner Update


At 12:05 09/03/2004, you wrote:
>I only ever verify archives against a signature acquired through 
>another route. If someone takes the trouble to spike the archive, then 
>I'm sure they will take the trouble to create a new signature for it. 
>Having them both on the same web page offers very little real security.

That is true for MD5 signatures, which is why I don't use them.

However, it is not true for a PGP signature, as they would need access
to my private key and passphrase in order to generate the PGP signature.
You obviously need to check the PGP signature against my public key,
that's why I show the location of my public key on the page.

>A more secure way of signing binaries would be to use an SSL 
>certificate from a globally trusted root CA, but I can understand that 
>the cost would be prohibitive for most open source projects and this 
>method still leaves the CA vulnerable to social engineering attacks 
>(remember the unauthorised Microsoft certs a while ago?).

Don't need an SSL cert, I'm using PGP and so they need my private key
and passphrase to forge a key from me.

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
>Behalf Of Peter Bonivart Posted At: 08 March 2004 23:40 Posted To: 
>MailScanner
>Conversation: Mailscanner Update
>Subject: Re: Mailscanner Update
>
>
>Kevin Miller wrote:
> > So, um, OK, let's say someone (strictly hypothetically speaking of 
> > course - at least that's my story and I'm sticking to it <g>) didn't

> > know what the two little commmands are exactly but want to better 
> > themselves.  What would they run?
>
>What you need to do is:
>
># gpg --verify MailScanner-4.28.6-1.tar.gz.sig
>
>But before that there's some small things to take care of, they are 
>nicely described here:
>
>http://www.mandrakesecure.net/en/docs/gpg.php
>
>--
>/Peter Bonivart
>
>--Unix lovers do it in the Sun
>
>Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14, 
>SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654




More information about the MailScanner mailing list