How about the so called Certificate Authorities? Should one use them ? And if am paranoid should I trust them ? What if I impersonate someone and give out keys under their name ? I read something about such issues long ago , but still don't understand.
Chuma Dan Hugo wrote: > Will Lowe wrote: > > > > On Fri, 9 Jan 1998, Tim Thomson wrote: > > > > > I know why you would want to use it to send encrypted messages, but why do > > > you want to sign your messages? > > Well, we use it to sign other things. Like, for example, when I upload > > a new debian package, I sign it so that the people who run ftp.debian.org > > (and eventually you) know that that package really came from me -- I put > > my name on it, so I'd like to make sure noone's releasing stuff under my > > name without my authorization. By the same token, you'd like to make > > sure that I'm the person who did it, so that if there's a bug, or if it > > releases some horrible plague on your computer, you can get ahold of me. > > :) > > Something that might be less obvious is the fact that signing a message > not only authenticates the author (assuming your signature, or public > key, is available for someone to use for this purpose) of a message or > piece of code, but it also allows one to authenicate the content of the > message or code. Public key encryption like PGP would allow the same > thing to a limited number of users for an encrypted message, but if, > using the same example, I want to post to a newsgroup and I want to make > sure that what I post is not altered in some way, I could sign it, and > then anyone who was interested could verify that the content that > appears on the group is what I actually posted (once they get my public > key). > > Same goes for that code example... anyone who hacks the code between the > source and desitination would not be able to create an authentic > signature for the new content, so that the recipient could (should) > authenticate the message for content and author (or signer, actually), > then decide if the content is what it was when it was posted or sent, > and that the author or signor is trustworthy. > > It's all very cool... > > Check out Applied Cryptography, by Bruce Schneier, John Wiley & Sons, > Inc 1996, as it is pretty much THE text on this sort of thing. There > are many web sites as well. > > > Some people just have pine set up to auto-sign everything. > > If I recall correctly, there are cases where one shouldn't sign > something. If I can remember any, I'll post 'em... > > Hopefully, nothing changed in this message. > > -dh > > -- > TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to > [EMAIL PROTECTED] . > Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
