[colug-432] PGP Signing Party
Richard Holbert
holbert.13 at osu.edu
Tue Dec 21 09:00:00 EST 2010
On 12/21/2010 08:15 AM, Steve VanSlyck wrote:
> Well, can't they do that anyway? I mean that's been my difficultty with
> certificates and PGP and so on all along.
>
> The guy that stole my wallet displayed my drivers license and signed my
> name to the credit card slip with no problem. Having someone else's
> initials on my driver's license telling the world that I'm me wouldn't
> have helped. It seems to me that signing only helps prove my identity to
> the specific person who signed, not to the world in general, and even
> then only so long as I'm in possession of the computer I used to generate
> the email.
Your driver's license was issued by a central authority. The central
authority was already trusted by the person who accepted it as proof of
identity. PGP certificates are generated by individuals.
Some people store their private keys on removable media so they don't
need to be in possession of the computer used to generate the keys...
Also, PGP incorporates what's called two factor authentication, i.e.,
something you have and something you know. So, even if someone stole
your private key, they wouldn't know your pass phrase and couldn't use
it to read your encrypted messages or digitally sign stuff using your
private key.
http://en.wikipedia.org/wiki/Two-factor_authentication
> Is that what signing is for - to validate a one-to-one relationship?
Signing can be used to validate a one-to-one relationship, but usually
signing is used to implement a "Web of Trust."
http://en.wikipedia.org/wiki/Web_of_trust
Validating a one-to-one relationship is usually accomplished by using a
public key fingerprint.
http://en.wikipedia.org/wiki/Public_key_fingerprint
More information about the colug-432
mailing list