-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> But in order to sign the files, the public key for the signature would have to be posted somewhere! That is the purpose of keyservers like http://pgp.mit.edu . In order to make sure a public key actually belongs to the "right" person, public keys can be signed by others to create a "web of trust". It would be a good idea that active recipe authors sign each others key. All that seems a bit complicated when explained, but is in fact nearly completely hidden by the software extensions/addons that handle the complexity. All this is absolutely not new nor specific to PmWiki recipes... The techniques and the software are in daily use for many years by hundreds of thousands of persons for email, file transfer, etc. Automated software upgrades rely on them too: GPG is standard on most Linux distributions and used to validate the software distributed by the repositories. >>Perhaps the author's profile page would be a good place to put that, the author could password protect this page? Public keys may, by definition, be distributed to anyone. The only difficulty is to make sure a public key actually belongs to the "right" person and is not fake. Hence the web of trust. Therefore, the (signed by others) public keys of the recipe authors could also be posted on pmwiki.org, and/or on their own site, and/or on key servers, etc. As an example, here is my public key: https://www.christophedavid.org/w/c/w.php/Main/CDAPubkey >> But if we do that, why not simply put the MD5 hashes on the author's profile page instead? Because you lack the "web of trust". If you get a public key and can validate that several persons you trust have signed it (meaning "I certify this key belongs to xyz"), then you should feel confident. If you just have a hash, you cannot be sure it has not been calculated by the person who modified the file to insert some nasty code. Christophe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI18hiyu9YWMK6LU8RAsZ1AKCEPCIojebCBAWcA6u86x6z5ECGegCfWOUW On2r0psH/6sYtiD7ailQ260= =VCXK -----END PGP SIGNATURE----- _______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users