keyserver problems'

Allie Martin
Wed Jul 18 23:34:02 2001

Hash: SHA1

Hi Janusz,
     On Wed, 18 Jul 2001, at 23:03:28 [GMT +0200 (CEST)] you wrote:


> You can't verify the signature regrardless of it being clearsigned or
> fnot, without having the sender public key because of way public key
> crypto works. Check the math, it is not that complicated.
I didn't say anything about not having the public key. What I'm proposing can be done using PGP. The process would seem to be, from my uninformed POV, that the key is downloaded, though not actually imported to the local keyring. You are able to inspect the signatures associated with the key and these are cross-referenced with keys that may already be on your local keyring. You can then check the signature without actually adding the key to your keyring.
> And verifying a signature without importing the key (if would possible
> with specifying of separate key) is incredibly stupid thing because
> without importing it you can't make trust calculation which defeats the
> purpose of the web of trust. See for example Schneier's Apllied Crypto
> definition of how it works.
So, one should collect as many keys as possible so that trusts can be calculated? I'm assuming here that trusts are calculated by examining the signatures associated with the keys. If the person who signed the key's public key isn't on your keyring then the signature would be just listed as an unknown signature. So it would be wise to collect public keys for this purpose. Am I reading you right here or am I totally off the mark and exhibiting more incredible stupidity? :-) - -- Allie Martin PGPKey ID:0x2B0717E2 Fingerprint:A053 0692 8415 8FC1 E677 0BDB 57C9 EB60 2B07 17E2 __ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - GnuPGshell v1.80u Comment: Get my Public Key here - iD8DBQE7VgBBV8nrYCsHF+IRAlGqAJ9QmQwjR0eed7kJxChdZvfRnYBrGgCeNAPN sEZE+KFRCJQb5ZeP/TzNV1A= =9JUO -----END PGP SIGNATURE-----