About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Sun Feb 11 10:30:05 UTC 2007
Tony Arnold wrote:
> John Dangler wrote:
> > On Sun, 2007-02-11 at 02:24 -0500, Matthew Flaschen wrote:
> >> Joel Bryan Juliano wrote:
> >>> Hi,
> >>>
> >>> I have a question regarding signing a file or binary, I installed
> >>> Seahorse which is really awesome tool! And it has a
> >>> nautilus-extension that easily Encrypt and Sign a file or
> >>> directory by right-clicking the file. Can someone please tell me
> >>> the use of signing a binary file or directory? I know it's
> >>> important, but I really don't get it.
> >> There's no use, unless you're planning on sending the file to
> >> someone. If you do send it to someone, they can check the
> >> signature to verify you sent it. Emails and most forms of
> >> electronic communication can be easily forged, but signatures
> >> can't be.
> >
> > As in - gpg: armor header: Version: GnuPG v1.4.3 (GNU/Linux)
> > gpg: armor header: Comment: Using GnuPG with Mozilla -
> > http://enigmail.mozdev.org
> > gpg: Signature made Sun 11 Feb 2007 02:24:30 AM EST using DSA key ID
> > 3BBDED59
> > gpg: Can't check signature: public key not found
> >
> > (this is what I see on your signature of your emails to the list)...
>
> You need to import his public key from a key server somewhere and add
> it to your keyring.
Or even better... meet in person, demand three form of photo ID, and run
finger prints through NCIC/whatever. All in front of reliable, bondable
witnesses. <grin>
>
> The question then is how much do you trust this key that you believe
> belongs to a certain person?
This is why PGP/GnuPG are primarily data integrity tools and not proof
of authorship tools. Indeed most digital signature schemes can't be
used to reliably authenticate origin, just guarantee data hasn't been
tampered with. The more refined tools like GnuPG and PGP implement
methods of forming trusted relationships, but they are in general not so
robust and easily exploited. Certainly not to be relied on for any
mission critical work.
There are other protocols which address identity in much more suitable
ways, although the "zero knowledge proof" problem has been a major
thorn in cryptographers' sides since cryptography was invented. ;)
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070211/da1b4cd8/attachment.sig>
More information about the ubuntu-users
mailing list