Re: Why use pgp?

To: Will Lowe <harpo@udel.edu>, Debian Users <debian-user@lists.debian.org>
Subject: Re: Why use pgp?
From: Dan Hugo <dhugo@reallycool.com>
Date: Fri, 09 Jan 1998 00:44:10 -0800
Message-id: <[🔎] 34B5E35A.83EB583@reallycool.com>
References: <[🔎] Pine.LNX.3.95q.980109025734.4391D-100000@rivendell.rdny.udel.edu>

Will Lowe wrote:
> 
> On Fri, 9 Jan 1998, Tim Thomson wrote:
> 
> > I know why you would want to use it to send encrypted messages, but why do
> > you want to sign your messages?
> Well,  we use it to sign other things.  Like,  for example,  when I upload
> a new debian package,  I sign it so that the people who run ftp.debian.org
> (and eventually you) know that that package really came from me -- I put
> my name on it,  so I'd like to make sure noone's releasing stuff under my
> name without my authorization.  By the same token,  you'd like to make
> sure that I'm the person who did it,  so that if there's a bug,  or if it
> releases some horrible plague on your computer,  you can get ahold of me.
> :)

Something that might be less obvious is the fact that signing a message
not only authenticates the author (assuming your signature, or public
key, is available for someone to use for this purpose) of a message or
piece of code, but it also allows one to authenicate the content of the
message or code.  Public key encryption like PGP would allow the same
thing to a limited number of users for an encrypted message, but if,
using the same example, I want to post to a newsgroup and I want to make
sure that what I post is not altered in some way, I could sign it, and
then anyone who was interested could verify that the content that
appears on the group is what I actually posted (once they get my public
key).

Same goes for that code example... anyone who hacks the code between the
source and desitination would not be able to create an authentic
signature for the new content, so that the recipient could (should)
authenticate the message for content and author (or signer, actually),
then decide if the content is what it was when it was posted or sent,
and that the author or signor is trustworthy.

It's all very cool...

Check out Applied Cryptography, by Bruce Schneier, John Wiley & Sons,
Inc 1996, as it is pretty much THE text on this sort of thing.  There
are many web sites as well.

> Some people just have pine set up to auto-sign everything.

If I recall correctly, there are cases where one shouldn't sign
something.  If I can remember any, I'll post 'em...

Hopefully, nothing changed in this message.

-dh

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

Follow-Ups:
- Re: Why use pgp?
  - From: jdassen@wi.leidenuniv.nl
- Re: Why use pgp?
  - From: Chuma Agbodike <chuma@pacbell.net>

References:
- Re: Why use pgp?
  - From: Will Lowe <harpo@udel.edu>

Prev by Date: Re: lp/ppa configuration; how to set to use printer?
Next by Date: XINETD don't start
Previous by thread: Re: Why use pgp?
Next by thread: Re: Why use pgp?
Index(es):
- Date
- Thread