Mailscanner Update

Julian Field mailscanner at ecs.soton.ac.uk
Tue Mar 9 13:39:41 GMT 2004


At 13:12 09/03/2004, you wrote:
>How do I know the private key and passphrase are yours and not generated
>by Joe Cracker under a pseudonym of Julian Field?

That's why I publish the key footprint/fingerprint in my email signature.
It would be pretty hard for someone to replace all the copies of my key
footprint in all the PC's in the world that already have a copy of it.

Furthermore my PGP key includes my photograph, so you can visually check me
against the copies of the press images on the web site. So you would have
to replace those too.

So in fact there are many supporting pieces of evidence you could gather
which all lead you to believe I am who I say I am. It would be very
difficult for a hacker to replace all the supporting evidence with fake
information.

>  I cannot verify
>remotely that any of these are physically held by you. The only way I
>can trust your PGP key is through you verifying its hash in person or
>through the trust of a mutual contact that I know has done so.
>
>In the mean time I'd rather trust that Southampton University has a
>reasonable security policy and will not allow unauthorised access to its
>HTTP servers ;-)
>
>Bart...
>
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Posted At: 09 March 2004 12:15
>Posted To: MailScanner
>Conversation: Mailscanner Update
>Subject: Re: Mailscanner Update
>
>
>At 12:05 09/03/2004, you wrote:
> >I only ever verify archives against a signature acquired through
> >another route. If someone takes the trouble to spike the archive, then
> >I'm sure they will take the trouble to create a new signature for it.
> >Having them both on the same web page offers very little real security.
>
>That is true for MD5 signatures, which is why I don't use them.
>
>However, it is not true for a PGP signature, as they would need access
>to my private key and passphrase in order to generate the PGP signature.
>You obviously need to check the PGP signature against my public key,
>that's why I show the location of my public key on the page.
>
> >A more secure way of signing binaries would be to use an SSL
> >certificate from a globally trusted root CA, but I can understand that
> >the cost would be prohibitive for most open source projects and this
> >method still leaves the CA vulnerable to social engineering attacks
> >(remember the unauthorised Microsoft certs a while ago?).
>
>Don't need an SSL cert, I'm using PGP and so they need my private key
>and passphrase to forge a key from me.
>
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> >Behalf Of Peter Bonivart Posted At: 08 March 2004 23:40 Posted To:
> >MailScanner
> >Conversation: Mailscanner Update
> >Subject: Re: Mailscanner Update
> >
> >
> >Kevin Miller wrote:
> > > So, um, OK, let's say someone (strictly hypothetically speaking of
> > > course - at least that's my story and I'm sticking to it <g>) didn't
>
> > > know what the two little commmands are exactly but want to better
> > > themselves.  What would they run?
> >
> >What you need to do is:
> >
> ># gpg --verify MailScanner-4.28.6-1.tar.gz.sig
> >
> >But before that there's some small things to take care of, they are
> >nicely described here:
> >
> >http://www.mandrakesecure.net/en/docs/gpg.php
> >
> >--
> >/Peter Bonivart
> >
> >--Unix lovers do it in the Sun
> >
> >Sun Fire V210, Solaris 9, Sendmail 8.12.10, MailScanner 4.25-14,
> >SpamAssassin 2.63 + DCC 1.2.30, ClamAV 0.67 + GMP 4.1.2
>
>--
>Julian Field
>www.MailScanner.info
>MailScanner thanks transtec Computers for their support
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list