PGP signatures.
Mikkel L. Ellertson
mikkel at infinity-ltd.com
Sun Jun 1 19:32:16 UTC 2008
Les wrote:
> From the last two posts, I gather that the encryption comment was
> specifically directed toward the PGP signatures... DUUHHH! I should have
> read the subject. I was responding in regards to encryption for
> security purposes. Please
> disregard my previous post.
>
Even if you are using it for security purposes, you should not need
to protect the public keys. You use the public key of the person you
are sending to to encrypt the message to them, and sign it with your
private key. The they use their private key to decrypt the message,
and your public key to verify the signature. For added security, the
private keys should be signed with a good pass-phrase. (Not just a
password!)
For example, you could use my public key, available from the key
servers, or my web page, and encrypt a message. I should be the only
one that can decrypt it. (With enough computer power, you could
brute force decrypt it.) If I had your public key, I could then
verify that it was from you if you had signed it using your private
key, just like verifying a signed e-mail.
One other thought - for maximum security, you should encrypt all
message between you and the other person, not just the ones that
need to be kept confidential. That way, you can not tell what
messages are worse decrypting.
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20080601/b11e74cd/attachment-0001.sig>
More information about the fedora-list
mailing list