PGP signatures.

Mikkel L. Ellertson mikkel at infinity-ltd.com
Sun Jun 1 19:32:16 UTC 2008


Les wrote:
> From the last two posts, I gather that the encryption comment was
> specifically directed toward the PGP signatures... DUUHHH! I should have
> read the subject.  I was responding in regards to encryption for
> security purposes.  Please
> disregard my previous post.
> 
Even if you are using it for security purposes, you should not need 
to protect the public keys. You use the public key of the person you 
are sending to to encrypt the message to them, and sign it with your 
private key. The they use their private key to decrypt the message, 
and your public key to verify the signature. For added security, the 
private keys should be signed with a good pass-phrase. (Not just a 
password!)

For example, you could use my public key, available from the key 
servers, or my web page, and encrypt a message. I should be the only 
one that can decrypt it. (With enough computer power, you could 
brute force decrypt it.) If I had your public key, I could then 
verify that it was from you if you had signed it using your private 
key, just like verifying a signed e-mail.

One other thought - for maximum security, you should encrypt all 
message between you and the other person, not just the ones that 
need to be kept confidential. That way, you can not tell what 
messages are worse decrypting.

Mikkel
-- 

   Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080601/b11e74cd/attachment-0001.sig>


More information about the fedora-list mailing list