[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Signing Packages.gz

On Sat, Apr 01, 2000 at 10:36:44PM -0600, Zed Pobre wrote:
> > Also, what's so fundamentally wrong with transferring a secret key over
> > the net? Hint: PGP does it every time you send an encrypted email.
>     Either you are using the phrase "secret key" in a context with
> which I am unfamiliar, or you do not understand PGP.  PGP/GPG does not
> transfer your secret key component when encrypting a message to
> another.  It is possible to encrypt a message to someone else's public
> key without *having* a secret key of your own in the first place.

PGP (v2.x, I'm not uptodate with the recent OpenPGP stuff), generates a
secret (albeit symmetric, rather than public/private keypair) IDEA key
everytime you try to encrpt a message. It encrypts the message with this
key, then encrypts the key with the recipients public key, and (and here's
the bit I was referring to) *sends that secret IDEA key across the net*.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG encrypted mail preferred.

 ``The thing is: trying to be too generic is EVIL. It's stupid, it 
        results in slower code, and it results in more bugs.''
                                        -- Linus Torvalds

Attachment: pgpdy4_yudJRF.pgp
Description: PGP signature

Reply to: