Re: establish a trust relationship (Re: missing signatures)

[Santiago Gala <sg...@hisitech.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


El viernes, 26 sept, 2003, a las 07:07 Europe/Madrid, Ask Bjoern Hansen 
escribió:

> Likewise for telephone numbers; figuring out a time to make two
> calls across the world should be feasible.
>

For those able to receive/send SMS (text messages), they can be used to 
send or receive key fingerprints, in a very effective and safe back 
channel for identity validation.

I have used SMS quite a few times to send passwords after the account 
setup information had been sent by email.
You can sue the telephone provider if the password is leaked, at least 
in theory. :-P

> Some people include their key signature in all their mails.
>
>

I'm beginning to sign all my mails, since security is becoming a key 
issue for all Open Source, and signing of communications/releases seems 
to be crucial.

Regards,
      Santiago

P.S.) I know it is a very late answer, I found the thread while making 
a search for stuff on Apache Trust chain.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/y3DmZAeG2a2/nhoRAsa+AKCyZzjp63NyKcoDun84ZfTGTHP37QCgtqwz
rztlV7U/oqbub75bLnSPM6I=
=1Qf0
- -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/y3EBMGY6e0B83Y0RAmgvAJ9JUFeHnssBH3MPlgtVeizoGJLU3ACgnIVU
HakG4GuDFSS6K5ELyGT2xRo=
=pRoN
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: establish a trust relationship (Re: missing signatures)

[Santiago Gala <sg...@hisitech.com>]

El lunes, 1 dici, 2003, a las 18:10 Europe/Madrid, Lars Eilebrecht 
escribió:

> According to Santiago Gala:
>
>> For those able to receive/send SMS (text messages), they can be used 
>> to
>> send or receive key fingerprints, in a very effective and safe back
>> channel for identity validation.
>
> Err, I wouldn't call SMS (or GSM) a 'safe' communication media.
>

Sorry, I tend to be imprecise. 'Safe' here was meant in the sense of 
identity cross reference, i.e. resilient to impersonation. (In my 
example, fingerprints are public info, so no confidentiality is 
actually needed)

The idea it that if a person is using a phone number that appears in 
telephone directories as Santiago's to answer a challenge (send me your 
key fingerprint by SMS...) in a timely manner, it reinforces trust in 
this person identity as Santiago when taken in addition to email.

Not in crypto terms. I tend to be imprecise, sorry.

> [...]
>> I'm beginning to sign all my mails, since security is becoming a key
>> issue for all Open Source, and signing of communications/releases 
>> seems
>> to be crucial.
>
> BTW, you may want to cross-sign your two PGP keys. The one you
> used to sign your message is not the one you gave to people at
> ApacheCon for signing.
>

They are cross signed, I forgot to upload the signed version. Thanks 
for the reminder.

Regards,
     Santiago

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org

Re: establish a trust relationship (Re: missing signatures)

[Lars Eilebrecht <la...@hyperreal.org>]

According to Santiago Gala:

> For those able to receive/send SMS (text messages), they can be used to 
> send or receive key fingerprints, in a very effective and safe back 
> channel for identity validation.

Err, I wouldn't call SMS (or GSM) a 'safe' communication media.

[...]
> I'm beginning to sign all my mails, since security is becoming a key 
> issue for all Open Source, and signing of communications/releases seems 
> to be crucial.

BTW, you may want to cross-sign your two PGP keys. The one you
used to sign your message is not the one you gave to people at
ApacheCon for signing.

ciao...
-- 
Lars Eilebrecht          - Confidence is the feeling you sometimes have
lars@hyperreal.org        - before you fully understand the situation.

---------------------------------------------------------------------
To unsubscribe, e-mail: community-unsubscribe@apache.org
For additional commands, e-mail: community-help@apache.org