About PGP Signing a File.
Ouattara Oumar Aziz
wattazoum at gmail.com
Mon Feb 12 23:27:22 UTC 2007
John L Fjellstad a écrit :
> Tony Arnold <tony.arnold at manchester.ac.uk> writes:
>
>> It therefore becomes a question of degrees of trust. A document that has
>> been signed with a key that has also been signed by a number of people
>> increases that degree of trust, but as you say does not guarantee
>> authorship. A signature based on a key that has not been signed by
>> anybody is much less trustworthy.
>
> I don't see how the number of people signing a key makes it more
> trustworthy unless you know at least one of the person who signed (and
> then you only actually need that one person's signing). A bad guy could
> just generate a bunch of new keys to sign the one key you are looking
> at.
>
The way I understand it is just like Certificates use with SSL. The
trust you put on a key depends on the security organization you are in.
So I may have a key signed by the security team of my company, that key
is trustworthy for anyone in that company but outside that company, it's
not valuable at all.
That's why, when I see some people on some mailing list signing there
mail using PGP I just wonder what they want to prove. We have no way to
check the authority behind that key.
More information about the ubuntu-users
mailing list