Re: About PGP Signing a File.

Tony Arnold wrote:

John Dangler wrote:
On Sun, 2007-02-11 at 02:24 -0500, Matthew Flaschen wrote:
Joel Bryan Juliano wrote:
Hi,

I have a question regarding signing a file or binary, I installed
Seahorse which is really awesome tool! And it has a
nautilus-extension that easily Encrypt and Sign a file or
directory by right-clicking the file. Can someone please tell me
the use of signing a binary file or directory? I know it's
important, but I really don't get it.
There's no use, unless you're planning on sending the file to
someone. If you do send it to someone, they can check the
signature to verify you sent it. Emails and most forms of
electronic communication can be easily forged, but signatures
can't be.

As in - gpg: armor header: Version: GnuPG v1.4.3 (GNU/Linux)
gpg: armor header: Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
gpg: Signature made Sun 11 Feb 2007 02:24:30 AM EST using DSA key ID
3BBDED59
gpg: Can't check signature: public key not found

(this is what I see on your signature of your emails to the list)...

You need to import his public key from a key server somewhere and add
it to your keyring.

Or even better... meet in person, demand three form of photo ID, and run
finger prints through NCIC/whatever. All in front of reliable, bondable
witnesses. <grin>


The question then is how much do you trust this key that you believe
belongs to a certain person?

This is why PGP/GnuPG are primarily data integrity tools and not proof
of authorship tools. Indeed most digital signature schemes can't be
used to reliably authenticate origin, just guarantee data hasn't been
tampered with. The more refined tools like GnuPG and PGP implement
methods of forming trusted relationships, but they are in general not so
robust and easily exploited. Certainly not to be relied on for any
mission critical work.

There are other protocols which address identity in much more suitable
ways, although the "zero knowledge proof" problem has been a major
thorn in cryptographers' sides since cryptography was invented. ;)

--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/

Attachment: signature.asc
Description: PGP signature

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: About PGP Signing a File.
    ... I have a question regarding signing a file or binary, ... If you do send it to someone, they can check the signature to verify you ... You need to import his public key from a key server somewhere and add it ... IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL. ...
    (Ubuntu)
  • how to beautify gpg+mutt in freebsd
    ... what other options do i have for signing my messages? ... btw this is a signature right ... ... not the public key? ... unset pgp_autoencrypt ...
    (freebsd-questions)
  • Re: About PGP Signing a File.
    ... I have a question regarding signing a file or binary, ... If you do send it to someone, they can check the signature to verify you ... You need to use gpg to generate a key pair, ... You also need to make your public key available as recipients will need ...
    (Ubuntu)
  • Re: to sig or not to sig?
    ... source as other messages you've received with the same signature. ... However, if I have *your* PGP public key, and you ... For signed mail, is the sender in your whitelist, and does the signing ... person named Kirk Strauser ...
    (comp.os.linux.misc)
  • Re: Soft signatures
    ... now, digital signature, typically just represents that you (in ... For some time there were arguments that if a certificate contained the ... certificate with your public key and the non-repudiation flag in it. ... for a number of different business purposes. ...
    (sci.crypt)