Several questions as feedback on gnupg
Thu Jan 24 21:38:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
On Thursday 24 January 2002 02:53, Mike Touloumtzis wrote:
> I can't see how getting my key from a keyserver is any safer than
> getting a "specially prepared key" from me. I can upload whatever I
> want to the keyservers. Can you explain why you believe downloading
> from the keyservers is safer? Is there material which is relevant to
> the signing process, not covered by the fingerprint, and not visible
> in the UID?
If you upload your key to a keyserver everyone can get it from there.
Therefore it would be much more dangerous for you to upload a key with
a wrong UID.
OTOH, if you send me your key and I send the signed key back to you then
it's just me who knows about this key. And then you could add a
malicious UID and probably trick my non-OpenPGP-understanding friends
into signing it because I signed your key. And if I trusted my friends
maybe marginally (which I obviously should better not) you could
achieve that your malicious UID was valid for me. Of course this
example is very hypothetical. So it doesn't really matter much how I
get you key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----