validating signatures

Mike Acker Mike_Acker at charter.net
Sat Mar 12 21:47:13 CET 2011


I think one of the things that is generally missed in the public
internet environment is the need to validate signatures

this would apply to x.509 certificates but working with PGP or GnuPG is
a very good way to learn about digital signatures and I try to encourage
my computer friends to do this

a thread on Internet Evolution by Jart Armin gets into this a little,
digressing into some discussion of man in the middle attacks and session
hijacking

stuff that should not be happening.  I suspect it may be related to
obsolete software such as old versions of Windows and/or IE.  State of
the Art browsers should be sandboxing each web page as a separate
application program so that one webpage can't snoop on or modify another
-- even though they are running under one browser.  Given that you are
preventing unauthorized modifications to your system -- and that you are
running a State of the Art Browser -- it should be pretty tough for a
MITM attack to get into one of your sessions.

in validating a key though there are two ways to do it: one you have
received the key directly from the owner by a secure means; or two: you
have received the key with an authenticating signature attached.

that authenticating signature is what Certificate authorities are for.

now if the key you are looking at has two or more authenticating
signatures you may only need one signature to satisfy yourself that that
key is valid before you sign it and assign a trust level.  do you need
to recognize all the signatures?

I'd say that's strictly up to you.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110312/70af3d8a/attachment.pgp>


More information about the Gnupg-users mailing list