Improved verification of messages
Frank Tobin
ftobin@uiuc.edu
Wed, 13 Sep 2000 05:00:43 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -, at 01:06 -0700 on Wed, 13 Sep 2000, wrote:
> This public key will only be used for orders, so it
> will not be distributed to anyone - in fact it will
> have 500 permissions on the server so that no-one
> except my user-id and root ought to be able to read
> the key. The corresponding private key will NOT be
> stored on the server.
This is a bad approach, does not provide you with any real security, and
makes you semi-believe you've got some sort of authentication by having
orders encrypted with a specific public-key. Your security needs to come
from authenticating that orders come from your webserver to your
processing forms correctly, and from your processing forms to you
correctly. Or, why not just accept any form as being valid? Use the
payment options as authentication.
- --
Frank Tobin http://www.uiuc.edu/~ftobin/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (FreeBSD)
Comment: pgpenvelope 2.9.0 - http://pgpenvelope.sourceforge.net/
iEYEARECAAYFAjm/UFIACgkQVv/RCiYMT6P19QCfXWstV7+bBuvh5mEkgp9Of4bM
2OYAnik6wepiPapP+JvcnBkCXG4Ufol5
=UZt/
-----END PGP SIGNATURE-----
--
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to gnupg-users-request@gnupg.org