basic hash signature question

David Shaw dshaw at
Wed Mar 17 03:22:59 CET 2004

On Tue, Mar 16, 2004 at 10:33:58AM -0600, Ryan Malayter wrote:
> [David Shaw]
> >This is a common problem with server-based things - how do you trust 
> >the server isn't lying?
> In this day and age of worm-installed backdoor trojans - and even
> compromised Linux source code trees - how do you really know that your
> personal workstation isn't lying when it verifies GnuPG signatures?
> It's a matter of degrees of trust. Isn't it reasonable to assume, for
> instance, that a well-run web server, owned a security-conscious
> organization, with an appropriate SSL certificate, is at least as
> trustworthy as the end-user's PC?

No.  You can't really compare the security of a machine that sits
under your desk with one in a data center somewhere.  Not to even get
into the "which is better question" - it's just an apples and oranges


More information about the Gnupg-users mailing list