robert burrell donkin wrote:
On Sun, 2005-05-29 at 23:41 -0400, Dave Brondsema wrote:It would be useful, I think, to get a keyid from a signature, fetch and update keys from a keyserver, and get names and email addresses from a public key. Just verifying the signature without showing who's key created it (which depends on the above functionality) doesn't do a whole lot of good. Although computing a trust value is what *really* does good.automatically fetching a public key from a server and then presenting the name and email from it would need to approached carefully. for example, the key may say "Robert Burrell Donkin (CODE SIGNING KEY) <[EMAIL PROTECTED]>" but may not be B1313DE2. it would be very unwise to trust such a key.
Exactly. It might be best then to only add functionality for getting a keyid from a signature. If keyid is added as a member of SignatureStatus, then the verify* methods are fine how they are. -- Dave Brondsema : [EMAIL PROTECTED] http://www.splike.com : programming http://www.brondsema.net : personal <><
signature.asc
Description: OpenPGP digital signature
