On Tuesday 31 March 2009 15:01:42 Anne Wilson wrote: > On Tuesday 31 March 2009 13:16:42 Tim wrote: > > On Tue, 2009-03-31 at 12:27 +0100, Bill Crawford wrote: > > > Ought to be possible for people to visit companies' offices and sign > > > their keys, and add them to the "web of trust" as per PGP / GPG keys. > > > No idea if / how that should be done, in practice, though. > > > > Actually, I'd like to be able to do something like with banking (go into > > the branch, and physically confirm keys used for banking). For the one > > or two people that I've used encrypted mail with, I exchanged keys in > > person. > > Bear in mind that the Public Key is intended to be just that - public. It > is useless to anyone else as only you have the Private Key that forms the > pair, so there is no problem at all about the public key being accessible. > It can *only* be used to compare against your signature. It cannot be used > in any attempt to pretend to be you. Yes, but the point is, without taking that verification step, you've no way of being confident that the key you see with name "X" on it actually belongs to the person you communicate with named "X". The steps he's outlining go a long way towards avoiding "man in the middle" attacks, because he won't be fooled by a key with the same name "X" on it, but different. Well, not if he checks the key fingerprint anyway :o) -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
