[colug-432] PGP Signing Party

Richard Holbert holbert.13 at osu.edu
Tue Dec 21 09:00:00 EST 2010

On 12/21/2010 08:15 AM, Steve VanSlyck wrote:
> Well, can't they do that anyway? I mean that's been my difficultty with
> certificates and PGP and so on all along.
> The guy that stole my wallet displayed my drivers license and signed my
> name to the credit card slip with no problem. Having someone else's
> initials on my driver's license telling the world that I'm me wouldn't
> have helped. It seems to me that signing only helps prove my identity to
> the specific person who signed, not to the world in general, and even
> then only so long as I'm in possession of the computer I used to generate
> the email.
Your driver's license was issued by a central authority. The central 
authority was already trusted by the person who accepted it as proof of 
identity. PGP certificates are generated by individuals.

Some people store their private keys on removable media so they don't 
need to be in possession of the computer used to generate the keys...

Also, PGP incorporates what's called two factor authentication, i.e., 
something you have and something you know. So, even if someone stole 
your private key, they wouldn't know your pass phrase and couldn't use 
it to read your encrypted messages or digitally sign stuff using your 
private key.

> Is that what signing is for - to validate a one-to-one relationship?
Signing can be used to validate a one-to-one relationship, but usually 
signing is used to implement a "Web of Trust."


Validating a one-to-one relationship is usually accomplished by using a 
public key fingerprint.


More information about the colug-432 mailing list