Re: About PGP Signing a File.

John L Fjellstad a écrit :
Tony Arnold <tony.arnold@xxxxxxxxxxxxxxxx> writes:

It therefore becomes a question of degrees of trust. A document that has
been signed with a key that has also been signed by a number of people
increases that degree of trust, but as you say does not guarantee
authorship. A signature based on a key that has not been signed by
anybody is much less trustworthy.

I don't see how the number of people signing a key makes it more
trustworthy unless you know at least one of the person who signed (and
then you only actually need that one person's signing). A bad guy could
just generate a bunch of new keys to sign the one key you are looking
at.

The way I understand it is just like Certificates use with SSL. The
trust you put on a key depends on the security organization you are in.
So I may have a key signed by the security team of my company, that key
is trustworthy for anyone in that company but outside that company, it's
not valuable at all.
That's why, when I see some people on some mailing list signing there
mail using PGP I just wonder what they want to prove. We have no way to
check the authority behind that key.


--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Relevant Pages

  • Re: About PGP Signing a File.
    ... anybody is much less trustworthy. ... I don't see how the number of people signing a key makes it more ... trust you put on a key depends on the security organization you are in. ... consistent key, and thus a consistent identity. ...
    (Ubuntu)
  • Re: About PGP Signing a File.
    ... Tony Arnold writes: ... increases that degree of trust, but as you say does not guarantee ... anybody is much less trustworthy. ... I don't see how the number of people signing a key makes it more ...
    (Ubuntu)
  • Re: [SLE] Signing pgp/gpg keys [Was: crontab help]
    ... I don't even sign locally keys for which I don't have some kind of ... I very much appreciate the rigorous care you take when signing others' ... your email address and, further, uses the name Carlos E. ... Nor do the given "levels of trust". ...
    (SuSE)
  • Re: Looking For People To Sign My GPG Public Key
    ... "Trust Points" accumulated to authenticate other people, ... person who is signing your key or authenticating your application. ... spec and issue differing levels of signatures for people I know well ...
    (Fedora)
  • Re: Effects of Magic
    ... fire mage is a big deal, ... kept secret, then she blabs to the first person she has ... tell secrets to people who aren't trustworthy. ... don't think Ellen's trust is impossible. ...
    (rec.arts.sf.composition)