Thanks, @Alan, I missed @Andrew's question (or rather, my SPAM filter missed it for me).
Alan's answer is unquestionably the correct one -- and also, I think in the earliest days of digital signatures, before the use of SSL/TLS browsing was widespread, the idea was that my public key was "public knowledge." You might have looked it up a month ago, you could look it up again today, your colleagues looked it up, it might be published in multiple places -- so any change introduced by MitM would be noticed. Not as good an answer as Alan's, but I think it was the original answer. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Alan Altmark Sent: Wednesday, April 4, 2018 6:03 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Software Delivery on Tape to be Discontinued On Wed, 4 Apr 2018 10:58:16 +1000, Andrew Rowley <and...@blackhillsoftware.com> wrote: >How do I verify that the key that I see browsing your website is really >yours and hasn't been e.g. substituted in transit? Key exchange is the >hardest bit of cryptography. Because you accessed the web site via https://, causing the transmission of the key to be encrypted and tamper-proof. Further, Charles' web site uses a certificate published by a Certificate Authority that YOU trust. Or more precisely, he uses a CA that the vendor of your browser trusts. You trust your vendor implicitly by using their browser. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN