About PGP Signing a File.
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Sun Feb 11 20:09:39 UTC 2007
Matthew Flaschen wrote:
> Tony Arnold wrote:
> > You need to import his public key from a key server somewhere and
> > add it to your keyring.
> >
> > The question then is how much do you trust this key that you believe
> > belongs to a certain person?
>
> It belongs to a certain person, the question is which (and if it
> matters).
You really can't know any of that, leastwise not with any built in
PGP/GnuPG functionality. The questions of whether it matters or not is
mostly irrelevant because there simply is no way to either reliably
verify identity, or guarantee that a "verified" key remains in the sole
poseesion of any entity or person. IOW, the whole "web of trust" and
key signing/exchange functionality in general is full of more holes than
fine baby Swiss. It's weak by design. Considerably less secure than
something like a typical key/password SSH login for example. Not
suitable for anything but the most trivial application. On the
other hand, PGP/GnuPG encryption and integrity verification
functionality are, of course, outstanding.
There really is no fool proof way to cryptographically prove identity
right now. A few multi-factor authentication ephemeral key exchange
protocols come close, but they're also easily exploitable without hard
physical security. Maybe one day when quantum encryption evolves out of
infancy and we can implement some system where even attempting to read
an encrypted data stream destroys it, thus making it flatly impossible
for anyone but the sender and recipient themselves to read a message...
but not today. ;)
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070211/bacb39a8/attachment.sig>
More information about the ubuntu-users
mailing list