GPG Signatues Was Re: reiserfs question
Dennis Gilmore
dennis at dgilmore.net
Thu Mar 11 13:32:20 UTC 2004
On Thursday 11 March 2004 11:23 pm, Rui Miguel Seabra wrote:
<Snip>
> And if you use this feature that blindly, then you might as well not use
> digital signing at all.
>
> Automatic keyserver verification is for controlled keyservers, where
> keys have some verification, otherwise, you might be believing some key
> with no trust path at all.
>
> Rui
there is no trust involved. all it is saying is that the message matches the
key on the keyserevr but that ultimatly its not trusted because i havent
signed the key to say i trust it and can verify who signed the email 100%
all it does is gets a copy of the key from the server and says they match.
Trust is a different thing altogether. the only keys i trust are my own.
by not making available your public key im saying you may as well not sign it
as its the same thing. at least if your key is available then i can say hey
it probably hasnt been tampered with but im not saying hey that is
deffinetly from joe bloggs.
Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20040311/82c376de/attachment-0002.bin
More information about the users
mailing list