Improved verification of messages

Frank Tobin
Wed, 13 Sep 2000 05:00:43 -0500 (CDT)

Hash: SHA1

- -, at 01:06 -0700 on Wed, 13 Sep 2000, wrote:

> This public key will only be used for orders, so it
> will not be distributed to anyone - in fact it will
> have 500 permissions on the server so that no-one
> except my user-id and root ought to be able to read
> the key. The corresponding private key will NOT be
> stored on the server.
This is a bad approach, does not provide you with any real security, and makes you semi-believe you've got some sort of authentication by having orders encrypted with a specific public-key. Your security needs to come from authenticating that orders come from your webserver to your processing forms correctly, and from your processing forms to you correctly. Or, why not just accept any form as being valid? Use the payment options as authentication. - -- Frank Tobin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (FreeBSD) Comment: pgpenvelope 2.9.0 - iEYEARECAAYFAjm/UFIACgkQVv/RCiYMT6P19QCfXWstV7+bBuvh5mEkgp9Of4bM 2OYAnik6wepiPapP+JvcnBkCXG4Ufol5 =UZt/ -----END PGP SIGNATURE----- -- Archive is at - Unsubscribe by sending mail with a subject of "unsubscribe" to