About PGP Signing a File.
Matthew Flaschen
matthew.flaschen at gatech.edu
Mon Feb 12 23:36:05 UTC 2007
Ouattara Oumar Aziz wrote:
> John L Fjellstad a écrit :
>> Tony Arnold <tony.arnold at manchester.ac.uk> writes:
>>
>>> It therefore becomes a question of degrees of trust. A document that has
>>> been signed with a key that has also been signed by a number of people
>>> increases that degree of trust, but as you say does not guarantee
>>> authorship. A signature based on a key that has not been signed by
>>> anybody is much less trustworthy.
>> I don't see how the number of people signing a key makes it more
>> trustworthy unless you know at least one of the person who signed (and
>> then you only actually need that one person's signing). A bad guy could
>> just generate a bunch of new keys to sign the one key you are looking
>> at.
>>
> The way I understand it is just like Certificates use with SSL. The
> trust you put on a key depends on the security organization you are in.
> So I may have a key signed by the security team of my company, that key
> is trustworthy for anyone in that company but outside that company, it's
> not valuable at all.
> That's why, when I see some people on some mailing list signing there
> mail using PGP I just wonder what they want to prove. We have no way to
> check the authority behind that key.
That's a valid point, but you can at least be sure we're signing with a
consistent key, and thus a consistent (though possibly fake) identity.
That's useful (though not as useful as associating with a verified
identity).
Matthew Flaschen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070212/9d3212dd/attachment.sig>
More information about the ubuntu-users
mailing list