[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Signing text messages...
Dr. Zaphod writes:
> By including your public key WITH your signed messages, aren't you inviting
> people to intercept it, replace it with they're own public key, and re-sign
> the message? If I didn't have a trusted copy of your public key already I
> wouldn't be able to verify your signature.
I'm not sure what attack you are proposing here. Are you suggesting
that someone else could take credit for my (brilliant?) message by
removing the PGP signature and substituting one of their own? But
digital signatures can't stop other people from doing this.
Or are you suggesting that someone else could create a bogus public
key claiming to mine, re-sign the message using that public key, and
then get people to think it was from me? Or, worse, they could create
a whole new message saying "I am a turkey, signed Hal Finney", sign it
with this bogus "Hal Finney" public key, and post it. Then I'd really
have egg on my face, right?
But no, I wouldn't, because people would (or should) know not to trust
a random public key to be from whom it claims. My posted key is
signed by Phil Zimmermann. This doesn't absolutely prove it is from
me, but I think it makes it worthwhile to post the key.
Anyway, the real reason I posted the key in this case was so that
people could check the cleartext signature to see if it had been
mangled by various mail gateways. That was the topic of discussion in
the message, so I wanted to make it easy for people to try checking