I think one of the things that is generally missed in the public internet environment is the need to validate signatures
this would apply to x.509 certificates but working with PGP or GnuPG is a very good way to learn about digital signatures and I try to encourage my computer friends to do this a thread on Internet Evolution by Jart Armin gets into this a little, digressing into some discussion of man in the middle attacks and session hijacking stuff that should not be happening. I suspect it may be related to obsolete software such as old versions of Windows and/or IE. State of the Art browsers should be sandboxing each web page as a separate application program so that one webpage can't snoop on or modify another -- even though they are running under one browser. Given that you are preventing unauthorized modifications to your system -- and that you are running a State of the Art Browser -- it should be pretty tough for a MITM attack to get into one of your sessions. in validating a key though there are two ways to do it: one you have received the key directly from the owner by a secure means; or two: you have received the key with an authenticating signature attached. that authenticating signature is what Certificate authorities are for. now if the key you are looking at has two or more authenticating signatures you may only need one signature to satisfy yourself that that key is valid before you sign it and assign a trust level. do you need to recognize all the signatures? I'd say that's strictly up to you.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
