On Mon, 4 Aug 2003 10:41:37 -0700 Alan Connor <[EMAIL PROTECTED]> wrote: > > > Funny. I know someone who has 2 of those PGP signatures things, neither > of which use his real name or stats. > > He can prove that he is someone he isn't.
No, he can't. That's not what a PGP signature is, does, or is for.
All a PGP signature on a piece of email (or any other document/file/
whatever) tells you is:
1. That it's exceedingly likely that it was signed with a particular
private key (and you can determine *which* private key, by
comparing the signature to the public key generated by that
private key);
2. That it's exceedingly likely that the document hasn't been altered
since it was signed.
A PGP signature does *not* tell you that whoever used the private key
to sign the message is really who they say they are. If a public and
private key is apparently associated with a user named "Humpty T.
Dumpty," there's no guarantee that that person exists, or that that's
really the identity of the person holding that private key. That's up
to the recipient to decide, through setting a confidence level to the
key. However, keysigning, and the resulting so-called "web of trust,"
can make this easier.
You might want to read about PGP, and public key infrastructures, a bit
more.
http://web.bham.ac.uk/N.M.Queen/pgp/pgp.html
http://www.desktoplinux.com/articles/AT3341468184.html
-c
--
Chris Metzler [EMAIL PROTECTED]
(remove "snip-me." to email)
"As a child I understood how to give; I have forgotten this grace since I
have become civilized." - Chief Luther Standing Bear
pgp00000.pgp
Description: PGP signature
