On Tuesday 04 January 2011 16:56:14 Fabio Spelta wrote: > > > > > > Am I doing something wrong? > > > You have to install the signer's public key. > > I strongly agree, this should be documented step by step because it's very > important. > To get mr. Toseland's latest key run this: > > gpg --recv-keys 75941D88 > > Then you will have the chance to verify the signature. > > Some explanation: to verify a "real" (read: pen) signature you have to know > how the original signature looks like. > With public key cryptography things works in a different (and unusual) way, > but still; you have to know the public key of the signer to check that the > signature is valid.
Which means that if somebody is attacking you he will substitute both the signature file and my key when you download it. So you gain very little, unless you have some other trust path. Trust is hard. Even if you pay money to "solve" the problem, there are lots of cases of problems with paid for certs. This is why we don't really emphasise it. People who care will know what to do. > > I found his public key searching for his name in the pgp.mit.edu keyserver: > http://pgp.mit.edu:11371/pks/lookup?search=matthew+toseland&op=index Or just use the key I sign my emails with. If you've been subscribed for a long time and I've always used the same key it's unlikely somebody has MITMed you. > > The email used is the one he uses to participate in this mailing list ( > t...@ampibian.dyndns.org) and the comment says "2010-2015 key". So, I > thought, "it must be that one", and it is. (Yes, key can and in some cases > should expire). Right. > > So. With that command you can download and import his key from a server with > the GPG utility. Then you can verify the signature. > GPG will tell you that the signature is valid, but will still warn you; > since the trust you put into the key is upon you. I mean: who's assuring > that the key you got is REALLY mister Toseland's? > > But, as he said, you can't have a guarantee of that unless you use a costy > X.509 certificate. So there's no escape. Still, checking a signature made > with a self signed key is by far more secure that not doing any verify at > all.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
