[fedora] Re: GPG signatures
peterl at standingwave.org
Tue Dec 30 20:35:43 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
This is why people should sign keys that they have verified, and upload
those signed keys. This builds a web of trust:
Trevor Smith wrote:
| On Tue, 30 Dec 2003 01:12:13 -0500, Lorenzo Prince wrote:
|>This is true, but with the current GPG tools, it seems much easier, at
|>me, to simply export my key to a keyserver and let anyone import it if
|>More importantly, if I export my key, most servers sync with the
server my key is
|>posted on so in most cases it doesn't matter what keyserver you use.
| Automatic downloading of keys makes me wonder what the use of PGP / GPG
| signing really is. All it will do, in this case, is tell you that the
| person who sent the message is the person who uploaded the key. Which,
| in reality, tells you nothing.
| Yes, I suppose keyservers will only accept one key for one email
| address (is this true?) so if I'm the one who uploads a key for
| trevor at haligonian.com *FIRST*, then the "real" trevor at haligonian.com
| would be the one posting to this list. But even though I know this
| (since I'm him), you wouldn't have any proof of it, since you don't
| know I'm him. Maybe I'm someone pretending to be me and I created a key
| and started sending emails to this list. Unless you emailed me
| directly, you'd never know (presumably without much more sophisticated
| hacking a "fake" trevor wouldn't be able to intercept my email).
| Or suppose I just created a "slightly faked" domain and address like
| trevor at haligonan.com (notice the missing "i" in "haligonian"), created
| a key, uploaded it and started signing messages. If you auto-download
| keys then you might never even notice that this is a "new" trevor.
| If you only get keys manually, you would at least have a little more
| awareness of some of that spoofing and maybe more direct knowledge of
| who you're communicating with.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the users