My small brain does not understand certification...

Anthony E. Greene
Thu Jun 28 01:20:01 2001

Hash: SHA1

On Wed, 27 Jun 2001, Techmeister wrote:

>Imagine that I have killerapp.exe v1.0 and I create a digital signature
>with GNUGP. Fine, no-one can modify the file without the cert being
>invalidated, but Carl Cracker adds a virus to my program, and creates
>his certificate, and distributes killerapp.exe, Virus Edition.
>A user checks the file against the certificate, and everything is OK, as
>the certificate corresponds to the file.
>How would the user be able to know that killerapp.exe has been modified
>by a cracker and is not the original file or certificate? Would the user
>have to check the certificate against my public key? (as they know that
>the file should have come from me) Or is the use of certificates
Essentially, you're right. A user would not know unless he'd somehow verified that the public key actually belongs to the author of the software. This issue highlights one of the differences between the Web of Trust model used in OpenPGP and the hierarchal model used by some other systems. In a hierarchal model, the author's key would be signed by some Certification Authority (CA). That way you'd know you have the right key (within the limits of checking done by the CA). In the Web of Trust model you essentially have to pick your own trusted signers. Signtures by these trusted entities would confer validity to public keys (in your opinion). Without those signatures you have to do the legwork to ensure a key actually belongs to the purported owner. Tony - -- Anthony E. Greene <> <> PGP Key: 0x6C94239D/7B3D BD7D 7D91 1B44 BA26 C484 A42A 60DD 6C94 239D Chat: AOL/Yahoo: TonyG05 MSN: te_greene Linux. The choice of a GNU Generation. <> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Anthony E. Greene <> 0x6C94329D iD8DBQE7OmmapCpg3WyUI50RAlcLAKCdJNLN/2masxVadoUcu+KTK46yewCcC8MU Ro5FFMUqe+pgGhe5d0D6ILE= =8FQ3 -----END PGP SIGNATURE-----