Comments on: Root of Trust ?

By: eljonas

eljonas — Wed, 01 Oct 2008 14:37:27 +0000

Hey - I know Måns! He is a nice chap who wears kilt when he volunteers as electrician at rock festivals in the summers.

Just had to say that!

Thanks for the article!

By: Richard Clayton

Richard Clayton — Wed, 01 Oct 2008 10:29:38 +0000

@Andrew

The reason that my app can’t handle the inline signature is the way that they’ve chosen to do it — not using multipart and not using the optional storage name parameter. When we developed Turnpike we (Hi Ian! Paul!) spent some considerable time getting Turnpike to interwork with other mail applications, and if anyone was using this scheme we’d have coded it up so that it worked…

… the further reason that the signature didn’t validate (an hour or so messing around late last night has finally enabled me to get it to validate) is the presence of wrapped long lines, non-ASCII characters, and mixed conventions for line endings; all of which must be unpicked “just right” in an appropriate text editor to retrieve the original text that was signed.

The bottom line of this aspect is that there’s a fine RFC specifying how to do MIME + PGP in a way that will interwork. Failing to use that scheme is going to cause trouble for a lot more people than just me.

By: Andrew

Andrew — Wed, 01 Oct 2008 09:42:54 +0000

So basically what you are saying is that they shouldn’t have chosen PGP Inline signatures over PGP/Mime because your e-mail application can’t handle them?

While PGP/Mime is the preferred choice in most situation it comes with it’s own set of annoyances, especially when it comes to webmail solutions. So I think PGP Inline is still a perfectly understandable choice.

I agree about the key though. They should post their key directly on their web. However, that does still not solve the problem with the public keysers and that anyone can upload keys with pretty much any signature, as your rather childish demonstration shows.

By: Richard Clayton

Richard Clayton — Tue, 30 Sep 2008 19:10:37 +0000

@Bernd

On balance, I do believe that the key does belong to the .se registry, and I have signed it on that basis. Although why you should expect “The Russian Mafia” to have anything like a normal key signing policy escapes me at present!

The point is that by linking to a version of the key on the public servers (rather than one on their own webpages) the registry has muddied an already muddy situation even further. They have mixed in all the complexities of what Zimmermann’s “web of trust” can actually provide. My choice of moniker should be irrelevant, but I rather suspect (and indeed intended) that anyone who sees it will fail to analyse the situation correctly.

By: Bernd Eckenfels

Bernd Eckenfels — Tue, 30 Sep 2008 18:56:41 +0000

I dont know how you can sign a Key which you cant verify. Where is the logic in this?

However I fully agree with your article, this is not the way to establish a trustable private PKI.

By: Andrew Kember

Andrew Kember — Tue, 30 Sep 2008 09:25:21 +0000

Hm. Understanding trust and security has always been tricky for non-experts like me, and I suspect the process will need to be a good deal easier and more transparent before I can be sure of what I need and how to get it - and what benefit it’ll afford me!

Still - you’ve done a good job of diving right in. I shall watch on with keen interest.

By: Calle Dybedahl

Calle Dybedahl — Tue, 30 Sep 2008 07:31:36 +0000

Since I happen to be consulting at .SE right now, I have pointed out your post to the people here.

By: 'Ndrangheta

'Ndrangheta — Mon, 29 Sep 2008 23:39:33 +0000

We’d like to sign it too.