basic hash signature question

David Shaw dshaw at jabberwocky.com
Sat Mar 13 17:25:24 CET 2004


On Fri, Mar 12, 2004 at 04:38:06PM +0100, Albert wrote:
> Am Freitag, 12. März 2004 00:53 schrieb David Shaw:
> > On Fri, Mar 12, 2004 at 12:22:21AM +0100, Albert wrote:
> > > Am Donnerstag, 11. März 2004 23:35 schrieb David Shaw:
> > > > > if someone doesn't have the signer's public key,
> > > > > is it still possible to verify the integrity of the signed
> > > > > file, even though one cannot verify the authenticity
> > > >
> > > > No.
> > > >
> > > > David
> > >
> > > Is there a possibility to check with a webinterface? url?
> >
> > Without the signer's public key, you can't do anything.  The math
> > just doesn't work that way.
> 
> The public key I can get from a keyserver
> 
> > You could set up a web page to check signatures, sure, but you're
> > assuming that web page is trustworthy and not compromised, etc.
> 
> That's the problem. I am thinking of a situtation, where no gpg is 
> installed on a foreign pc.

It's certainly doable, but why should the user of this service trust
it?  It could just be printing out "signature good" without actually
checking, or worse, printing out "signature bad" for certain people,
but not others, etc.

This is a common problem with server-based things - how do you trust
the server isn't lying?

David



More information about the Gnupg-users mailing list