Verifying signatures via WWW interface

Bernd Eckenfels lists@lina.inka.de
Tue May 14 00:24:02 2002


On Mon, May 13, 2002 at 05:22:01PM -0400, Toxik - Fabian Rodriguez wrote:
> Of course, we don't want to store a private key for this particular
> application, what would be required to have a trust path ? The local keyring
> only has public keys in this example.

You can eighter ignore the message or lsign all your keys in the keying with
a "trusted" key. you do not need to store the trusted key on the system, you
can mark a public key as trusted. this is used like this:

a) user sends you key, you verify it and sign it
b) you store the signed key on a automatic signature checking device. in
order to avoid to have to store your signature generating key on that device
you just place the public key there and mark it trusted. this has the
advantage (over blindly trusting al keys in keyring) that adding keys to the
keyring is not a priveledged application and does not need a trusted channel
to the verifier.

hope this is clear, i use this for a B2Bi Server which is able to check
incoming messages from trading partners and decides if they are known, based
on a "accept" lsign from operating staff. this even works with a keyserver.

Greetings
Bernd