Pretty Good Privacy |
|
|
Related Links |
|
Why does my key need to be
signed
Why does my key need to be signed?
Since the 'net is the most popular method of distributing public keys, it's as easy to
tamper with keys as it is to tamper with messages --thereby defeating the very purpose of
PGP itself! So it's important that you do not trust bare keys which you have got from the
Internet, unless (a) you have contacted the owner of the key separately *and via a
different medium, e.g. phone, fax or snail-mail* and verified the key actually belongs to
him/her, or (b) verified that the key is signed by someone you trust.
A key signature is nothing but a sort of affidavit from someone that they believe that it
(the key) actually belongs to the person it is supposed to belong to. Thus if I know you
and have your key details, I would be willing to sign your key, effectively telling the
world, ``Yes, I believe that this key really belongs to Your Name''. Now when someone
accesses this signed key over the 'net, they see my signature on it and think, ``Hey, Raju
believes that this key belongs Your Name, and I trust Raju's judgement, so I'm willing to
accept this key''. Of course, they could also think, ``Raju believes this is Your Name's
key, and I think Raju is a big liar and completely untrustworthy, so I will definitely not
use this key to correspond with Your Name'', but that's more unlikely (I hope!).
So what's a
keysigning party after all? ![[Next]](../../../homepage/ar_right.gif) |
