[fedora] Re: GPG signatures

Peter Loron peterl at standingwave.org
Tue Dec 30 20:35:43 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is why people should sign keys that they have verified, and upload
those signed keys. This builds a web of trust:

http://www.rubin.ch/pgp/weboftrust.en.html

- -Pete

Trevor Smith wrote:
| On Tue, 30 Dec 2003 01:12:13 -0500, Lorenzo Prince wrote:
|
|
|>This is true, but with the current GPG tools, it seems much easier, at
least to
|>me, to simply export my key to a keyserver and let anyone import it if
needed.
|>More importantly, if I export my key, most servers sync with the
server my key is
|>posted on so in most cases it doesn't matter what keyserver you use.
|
|
| Automatic downloading of keys makes me wonder what the use of PGP / GPG
| signing really is. All it will do, in this case, is tell you that the
| person who sent the message is the person who uploaded the key. Which,
| in reality, tells you nothing.
|
| Yes, I suppose keyservers will only accept one key for one email
| address (is this true?) so if I'm the one who uploads a key for
| trevor at haligonian.com *FIRST*, then the "real" trevor at haligonian.com
| would be the one posting to this list. But even though I know this
| (since I'm him), you wouldn't have any proof of it, since you don't
| know I'm him. Maybe I'm someone pretending to be me and I created a key
| and started sending emails to this list. Unless you emailed me
| directly, you'd never know (presumably without much more sophisticated
| hacking a "fake" trevor wouldn't be able to intercept my email).
|
| Or suppose I just created a "slightly faked" domain and address like
| trevor at haligonan.com (notice the missing "i" in "haligonian"), created
| a key, uploaded it and started signing messages. If you auto-download
| keys then you might never even notice that this is a "new" trevor.
|
| If you only get keys manually, you would at least have a little more
| awareness of some of that spoofing and maybe more direct knowledge of
| who you're communicating with.
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/8eGfaipdndPOPFMRAi4oAJ0eGyE4xMNSMCv6Cabk5m5m1hYt6ACgro5/
kMS39WqcUAuh6xK46D1ji0I=
=8eVv
-----END PGP SIGNATURE-----





More information about the users mailing list