basic hash signature question
rmalayter at bai.org
Tue Mar 16 17:33:58 CET 2004
>This is a common problem with server-based things - how do you trust
>the server isn't lying?
In this day and age of worm-installed backdoor trojans - and even
compromised Linux source code trees - how do you really know that your
personal workstation isn't lying when it verifies GnuPG signatures?
It's a matter of degrees of trust. Isn't it reasonable to assume, for
instance, that a well-run web server, owned a security-conscious
organization, with an appropriate SSL certificate, is at least as
trustworthy as the end-user's PC?
More information about the Gnupg-users