> > This is not the way it's supposed to work. If I don't check the > > public > > key is trusted, why should I believe a message signed with it? > > Simply > > picking up the key with the message is tantamount to doing nothing. > > I > > must either know the key beforehand (i.e. I have it in my keyring) > > or I > > fetch it from a public server and check who vouches for it. > > > > poc > > That's what I thought too. Like my friend and I. We physically > checked > each other's fingerprints too. We know who we are and who the key > belongs too. So of course we sign it and trust it. > Sorry, I've come a bit late to this bit of the conversation ...
Signing a message does two things: 1) it verifies who the sender is and 2) verifies that the contents of the message haven't changed. In order to do both with any sort of veracity, you must know with absolute certainty who the key that the message is signed with belongs to. Merely adding a public key to the message does NOT enable you to do this. Remember that ANYONE can generate a PGP public/private key pair in the name of any person. So I can generate a key in Stig's name, write an email spoofing his email address sign it and add the public key to the email to "verify" the message ... would you accept it?? Even worse, I could intercept a message between Stig and his friend, edit the plain text, resign it with the bogus key and pass it on (with the public key attached so it can be "verified"). No, you absolutely MUST NOT trust a public key attached to a message unless it has been independently signed and verified by a 3rd party *that you trust*. It is only through a web of trust created by signed keys that you can be reasonably certain that new keys are correct; and similarly, you must only sign keys that you know WITH ABSOLUTE CERTAINTY belong to the person. I have been involved with CERT PGP key signing parties in the past where the only valid form of identification is a passport and the person must be physically present - but you do get a key that most people trust! P. _______________________________________________ evolution-list mailing list evolution-list@gnome.org To change your list options or unsubscribe, visit ... https://mail.gnome.org/mailman/listinfo/evolution-list
