playing with cryptography...
Bill Royds
bill.royds at Royds.net
Fri May 2 23:55:17 CEST 2008
On 2-May-08, at 04:50 , Ramon Loureiro wrote:
> Great!
> I think I've got it!
> (This msg should be MIME-signed with a Thawte certificationx)
Yes, it was signed, by the Thawte issued signature.
Basically a PKI-509 type signing is a tree of trust relationship,
where the root of the tree is a set of certificate issuers that your
browser or email program trusts whether you do or not. These then
issue certificates to others who can issue certificates to more people
etc. It is simpler because you leave the issue of who do you trust up
to Microsoft or Mozilla or Apple.
FOr example, your certificate was issued by Thawte whose certificate
was embedded in the Apple Mail program that I use. So trusting your
certificate means that I trust Apple (for embedding Thawte) and Thawte
(who issued your certificate). The signature verifies that the sender
is who he/she claims but does not verify that the contents of the
message have not been altered.
The PGP (GPG) model is that one only trusts certificate that come
from someone you already trust or from someone that is trusted by
someone who you trust etc. There is no implicit trust so it takes more
effort to get that trust. It also verifies that the message has not
been altered as well as providing a signing for the sending.
I think the GPG model is more secure, but the other model is more
profitable for the issuers. That is why it is implemented in browsers
and email readers.
P.S.
Your Thawte certificate reads Signed (ramon.loureiro at upf.edu)
Bill Royds
More information about the Gnupg-users
mailing list