Index
Subject
: Re: LUG: Keys, signatures, etc.
From
: Jonathan Smith <smithj@gentoo.[redacted]>
Date
: Thu, 06 Oct 2005 17:35:39 -0400
Parent
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
M Rulison wrote:
> Thanks to all for an interesting meeting last night @ Cox Hall.
>
> Let me see if I understand signing. Please comment on the following as
> needed:
>
> "Signatures" (certificates) used to establish the bona fides of a
> message sender may be established in two ways:
>
> 1. A signature "party" in which one or more persons ('signors')
> verify that the 'signee' is indeed identifiable (photo id's, etc.)
> that he/she is who he/she says he/she is. Signors then add their
> own keys to that of the signee. Cost: some time and computer logons.
> 2. a 'Signor' indentifies him-herself satisfactorily to Verisign or
> other vouching organization, either as an individual or a
> business, etc. Said organization then issues a certificate (key).
> Cost: some time and an annual fee, e.g. $40.
While what you say is technically correct, I think you are implying the
incorrect usage. Signatures and certificates used differently. An individual
will almost never need a certificate. They are usually used to, for example,
verify SSL connections (think: webmail.ncsu.edu, wachovia.com, gmail.com, and
so on). For wachovia, there is no web of trust. How would you sign wachovia's
key? Verify that the person who has it is an employee? Even then, how do you
know that they have permission to act on behalf of the corperation? Verisign
does that legal work for you, to ensure that the key supposedly from the
company is legal and from the right people *in* the company.
To my knowledge, it is impossible to buy a gpg signature from, say, verasign.
So you're comparing apples and oranges.
- --
smithj
Gentoo Developer
[ desktop stuff && network monitoring && documentation ]
Every email I send is digitally signed with OpenPGP key ID 33E2528C, available
from pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDRZirl5AvwDPiUowRAry1AKDcXNnKAYWDRXhSA2G5MB5YkpkLOgCePdeS
icw3d5Mws0YGRDDWSuA+QTQ=
=93+4
-----END PGP SIGNATURE-----
Replies
: