Re: Why use pgp?

To: debian-user@lists.debian.org
Subject: Re: Why use pgp?
From: Chuma Agbodike <chuma@pacbell.net>
Date: Fri, 09 Jan 1998 02:42:59 +0000
Message-id: <[🔎] 34B58EB3.EA079B29@pacbell.net>
References: <[🔎] Pine.LNX.3.95q.980109025734.4391D-100000@rivendell.rdny.udel.edu> <[🔎] 34B5E35A.83EB583@reallycool.com>

How about the so called Certificate Authorities?
Should one use them ?
And if am paranoid should I trust them ?
What if I impersonate someone and give out keys under their name ?
I read something about such issues long ago , but still don't understand.

Chuma



Dan Hugo wrote:

> Will Lowe wrote:
> >
> > On Fri, 9 Jan 1998, Tim Thomson wrote:
> >
> > > I know why you would want to use it to send encrypted messages, but why do
> > > you want to sign your messages?
> > Well,  we use it to sign other things.  Like,  for example,  when I upload
> > a new debian package,  I sign it so that the people who run ftp.debian.org
> > (and eventually you) know that that package really came from me -- I put
> > my name on it,  so I'd like to make sure noone's releasing stuff under my
> > name without my authorization.  By the same token,  you'd like to make
> > sure that I'm the person who did it,  so that if there's a bug,  or if it
> > releases some horrible plague on your computer,  you can get ahold of me.
> > :)
>
> Something that might be less obvious is the fact that signing a message
> not only authenticates the author (assuming your signature, or public
> key, is available for someone to use for this purpose) of a message or
> piece of code, but it also allows one to authenicate the content of the
> message or code.  Public key encryption like PGP would allow the same
> thing to a limited number of users for an encrypted message, but if,
> using the same example, I want to post to a newsgroup and I want to make
> sure that what I post is not altered in some way, I could sign it, and
> then anyone who was interested could verify that the content that
> appears on the group is what I actually posted (once they get my public
> key).
>
> Same goes for that code example... anyone who hacks the code between the
> source and desitination would not be able to create an authentic
> signature for the new content, so that the recipient could (should)
> authenticate the message for content and author (or signer, actually),
> then decide if the content is what it was when it was posted or sent,
> and that the author or signor is trustworthy.
>
> It's all very cool...
>
> Check out Applied Cryptography, by Bruce Schneier, John Wiley & Sons,
> Inc 1996, as it is pretty much THE text on this sort of thing.  There
> are many web sites as well.
>
> > Some people just have pine set up to auto-sign everything.
>
> If I recall correctly, there are cases where one shouldn't sign
> something.  If I can remember any, I'll post 'em...
>
> Hopefully, nothing changed in this message.
>
> -dh
>
> --
> TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
> debian-user-request@lists.debian.org .
> Trouble?  e-mail to templin@bucknell.edu .




--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to:

References:
- Re: Why use pgp?
  - From: Will Lowe <harpo@udel.edu>
- Re: Why use pgp?
  - From: Dan Hugo <dhugo@reallycool.com>

Prev by Date: Re: XFree86 setup problems
Next by Date: Re: Fetchmail and Procmail. (Fixed pine)
Previous by thread: Re: Why use pgp?
Next by thread: Fetchmail and Procmail. (Fixed pine)
Index(es):
- Date
- Thread