I have several PGP public keys for making signatures. This key is for sending me email:
--BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZpxhTxYJKwYBBAHaRw8BAQdAJEsfaeZOg4YwKq4oaJ+AuDFqjstXh/3A8JRq
VROOXx+0KkJ5cmwgUmF6ZSBCdWNrYnJpYXIgPGtleW94aWRlMEBvY3RhZGUubmV0
PokCwgQTFggCagIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLmyqOwsSyDS
ARz+qgfkp//2WF6PBQJmnbCPTRSAAAAAABAANHByb29mQGFyaWFkbmUuaWRvcGVu
cGdwNGZwcjo2NzdBRTMyMzkyOUY4RkVFN0Q2RUFCODlBODY5REQ1OTYwRTY2NjE3
TRSAAAAAABAANHByb29mQGFyaWFkbmUuaWRvcGVucGdwNGZwcjpCOUIyQThFQzJD
NEIyMEQyMDExQ0ZFQUEwN0U0QTdGRkY2NTg1RThGPhSAAAAAABAAJXByb29mQGFy
aWFkbmUuaWRodHRwczovL29yY2lkLm9yZy8wMDA5LTAwMDktNTE0NC0zMjc4QxSA
AAAAABAAKnByb29mQGFyaWFkbmUuaWRodHRwczovL2NvZGViZXJnLm9yZy9PQ1RB
REUva2V5b3hpZGVfcHJvb2YwFIAAAAAAEAAXcHJvb2ZAYXJpYWRuZS5pZGRuczpv
Y3RhZGUubmV0P3R5cGU9VFhURBSAAAAAABAAK3Byb29mQGFyaWFkbmUuaWRodHRw
czovL2Jza3kuYXBwL3Byb2ZpbGUvb2N0YWRlLmJza3kuc29jaWFsRBSAAAAAABAA
K3Byb29mQGFyaWFkbmUuaWRodHRwczovL25ld3MueWNvbWJpbmF0b3IuY29tL3Vz
ZXI/aWQ9T0NUQURFKxSAAAAAABAAEnByb29mQGFyaWFkbmUuaWRuZXdzOi8vYWx0
LnJodWJhcmIrFIAAAAAAEAAScHJvb2ZAYXJpYWRuZS5pZHNtczovLzc4MS1PQ1Qt
QUdPTgAKCRAH5Kf/9lhej1PnAQDgqfTE2hKnMSMvspqk4YUBUNVjjI3571lGZUNC
forCVAD+OZExOp+mat0oJtCL/zMInmBeNnlu6xO/iwGndsAEIQC4OARmnGFPEgor
BgEEAZdVAQUBAQdAaf3rf2xm8ONAVAbV6UtFHehUJy7YmoPW2skWABd7FjQDAQgH
iHgEGBYIACAWIQS5sqjsLEsg0gEc/qoH5Kf/9lhejwUCZpxhTwIbDAAKCRAH5Kf/
9lhej8yWAQDnHRRWZKNQDNl+yQDZRe4gn/QICF2SB6DyLhGjpiLbdQEAmZ5M1HHQ
TslBggyfJ99HZicprQZw4f/rgNj2SGqW3gw=
=> zHb
--END PGP PUBLIC KEY BLOCK-----
=> More informations about this toot | More toots from octade@soc.octade.net
@octade how do we verify it is your public key?
for example, you can verify mine on MIT.edu
=> More informations about this toot | More toots from adisonverlice@dragonscave.space
Ah, good question. How can you trust that my public key is really my public key?
You can't. Or you can. It is up to you. Let me explain.
Because my web server is secured with a HTTPS connection with HSTS and you can view the LetsEncrypt SSL cert that secures the data request. Or does it?
And because it is also on the hockeypuck servers you can trust that is my key: https://keys.openpgp.org/vks/v1/by-fingerprint/B9B2A8EC2C4B20D2011CFEAA07E4A7FFF6585E8F
Or can you?
However, my web server is more trustworthy than PGP keyservers. Or is it?
How do you prove that the PGP key server didn't replace my uploaded key with one of their own? Where did you get the key fingerprint? How can you know that connection was secure and not MITM'd?
You can't. Unless you have met me face-to-face and gotten the key from my own hand in meatspace, there is always the possibility, however slight or great, that someone in the chain of trust can impersonate me and give you their fake key instead of mine.
That's what I mean about cryptography and security theater. It sounds cool to get PGP keys from a keyserver, but any key server can poison the keys with their own fakes. And any CA can poison SSL certs under a secret order from the government, or upon the directive of a corrupt person working in their company.
Ring of trust is supposedly there to avoid that problem with PGP. Good luck trying to get any industry hacks to sign your PGP key into their ring of trust.
See what I mean?
I suppose that LetsEncrypt or any CA could also poison a connection with a malicious SSL cert for a MITM. How would anyone know?
See what I mean?
At some point, you have to trust someone, and you have to take someone else's word to trust the next person in the chain.
And this is why you should never rely upon public key cryptography to secure information that could get you hurt, imprisoned, or killed. Anyone who says otherwise is selling you rope and a tree. Under no circumstances should you ever communicate death-defying information over a public network using public key cryptography. Just don't ever do that, not ever.
The only verifiable cryptographic security is when you own the keys, and you exchange them in meat space with the other party, encrypted with very strong passphrases, with many gigabytes of OTP key material. Any other method requires you to trust someone or trust that a trapdoor function doesn't have a secret weakness.
This requirement to trust someone to vouch for identity is why it is called a certificate AUTHORITY or ring of trust. You have to accept some authority to vouch for the authenticity of the key and the identity of its holder. But you can't prove it unless you are face-to-face with that person.
In the old days, it was common to have PGP key signing parties, where people met in person in groups to verify each others' identities then sign each others' keys.
I'm not a high value target. It is highly unlikely that anyone running a hockeypuck server or SSL CA would serve a fake key on my account. Hacking me would net zero dollars return, so I don't worry about it. If I had high value information to communicate it would be either in person or through a courier using one-time pad keys. I wouldn't touch PGP or any Internet cryptosystem for something like that.
[#]PGP #Encryption #CyberSecurity #SecurityTheater #Cryptography
=> More informations about this toot | More toots from octade@soc.octade.net This content has been proxied by September (3851b).Proxy Information
text/gemini