nd "ultimate"). One can imagine situations in which a key's owner is
"never" trusted to sign others' keys, but one would still like to keep
track of how valid the key itself is ("unknown", "marginal" or
"full"). However, such situa
er is left to decide whether
the person should be trusted.
Am I correct in this?
Thanks,
Kerrick Staley
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Just to make sure that I'm understanding this, a complete PGP signature does
not embed information about whether it is the signature of a file or the
signature of a certificate, so it's a bad idea to sign a remotely generated
digest?
-Kerrick Staley
On Mon, Jun 13, 2011 at 5:36 P
x.
OK, that answers my question. I think we'll go with the hash-signing
implementation. Thanks!
-Kerrick Staley
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
t for complete security, the
databases must themselves also be signed; otherwise, an attacker could
use DNS spoofing to deliver a database listing outdated packages with
known vulnerabilities, and it would happily be accepted by end-users'
systems. The vulnerable packag
On Sun, Jun 12, 2011 at 5:37 PM, Jerome Baum wrote:
>
> On Sun, Jun 12, 2011 at 23:15, Kerrick Staley wrote:
> > Is it possible to generate the digest for a file, and then create the
> > signature from that digest later?
>
> Problem is, you don't know what you'r
would be very useful, but I cannot find documentation anywhere on
how to do this. Can anyone help?
Thanks,
Kerrick Staley
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
