Re: GPG
- From: Allen Kistler <ackistler@xxxxxxxxx>
- Date: Sat, 15 Nov 2008 13:38:19 -0600
Doug Laidlaw wrote:
Allen Kistler wrote:
Doug Laidlaw wrote:I have never believed in "Don't ask questions; just follow the crowd."Several points:
Accepting "the crowd" has given me a disk bloated with drivers that I
will never use, and locales that I will never use, with no better
justification than the famous "Because they are there!"
I am still wondering if I need GPG at all. About the only scenario I can
see where it is worth the trouble is emailing credit card details. If
such
an email is signed with GPG, is it protected during transit? It is in no
way protected upon arrival.
The only thing signing your payment card info does is assure the
recipient that you and only you sent it, assuming the recipient uses GPG
or PGP and has your public key.
Signing your payment card info does not in any way "protect" it from
interception.
To protect the info in transit, you need the recipient's public key and
you need to use it to encrypt the data to him (and maybe to yourself so
you can read what you sent).
If you use a reliable method to transport information confidentially to
someone who's careless with the info after he gets it, then you should
make sure that he's contractually liable for negligence on his part. If
you can enforce no such liability on someone who's known to be
negligent, why are you sending him confidential information? That's not
a technical problem, and it's not going to have a technical solution.
The whole thing of interception is interesting. Here is a parallel from my
working life:
[snip]
I don't fully understand GPG/PGP, but I get the point about the public key. Hal queried it. As I understand it, I sign the message with the
recipient's public key (if he has one,) and that is like putting on it a
padlock to which only he has "the key." Only he can unlock it. I just
wonder about email sent to mailing lists which is signed with the sender's
key. Unless that protects it in transit, it is only proof of authenticity,
which isn't important on a public list, but may be good as a general
practice.
Other folks have responded, but I'll try to give a brief summary.
In public key crypto, keys come in pairs. One is private. You keep that one to yourself. One is public. You spread that one far and wide. That's why it's public.
A sender can sign a message electronically just like he can sign a paper message. If the mechanism (PGP/GPG is one example) is reliable, then it's "very hard" for someone else to alter the message and forge a new signature on it. (It is, after all, *possible* to chop down the mightiest tree in the forest with a herring.)
You sign a message with your private key. Everybody else can read the message and verify the signature with your public key, because everybody (who so chooses) knows it.
A sender can encrypt a message using the recipient's public key, assuming the recipient has published one. Such a message is protected from being read by unauthorized parties in transit, because only someone with the matching private key can decrypt it.
Why do people sign their posts on public lists? Well, they could do it just to be cool. ("Hey, everybody, I use crypto.") More practically, they do it to make sure they're not misquoted. Anyone who checks the original post would be able to verify it's authenticity. If the words of a valid original differ from the quote, then you know the poster was misquoted.
Because of the nature of Usenet, anyone can post messages as anyone else. Historically that's not been much of a problem, but I have seen flame wars where opposing parties posted messages as the other party, even including signatures to make the fake messages look real. Of course, anyone could have carefully checked all the signatures to see which were real and which were fake, but that would (my opinion) make them the second group of people with too much time on their hands described in this paragraph.
.
- Prev by Date: Re: GPG
- Next by Date: Re: GPG
- Previous by thread: Re: GPG
- Next by thread: Re: GPG
- Index(es):
Relevant Pages
|
