basic hash signature question
David Shaw
dshaw at jabberwocky.com
Wed Mar 17 03:22:59 CET 2004
On Tue, Mar 16, 2004 at 10:33:58AM -0600, Ryan Malayter wrote:
> [David Shaw]
> >This is a common problem with server-based things - how do you trust
> >the server isn't lying?
>
> In this day and age of worm-installed backdoor trojans - and even
> compromised Linux source code trees - how do you really know that your
> personal workstation isn't lying when it verifies GnuPG signatures?
>
> It's a matter of degrees of trust. Isn't it reasonable to assume, for
> instance, that a well-run web server, owned a security-conscious
> organization, with an appropriate SSL certificate, is at least as
> trustworthy as the end-user's PC?
No. You can't really compare the security of a machine that sits
under your desk with one in a data center somewhere. Not to even get
into the "which is better question" - it's just an apples and oranges
comparison.
David
More information about the Gnupg-users
mailing list