| gabriel rosenkoetter on Tue, 4 Dec 2001 16:50:30 +0100 |
|
On Tue, Dec 04, 2001 at 10:34:41AM -0500, Bob Razler wrote: > Are you sure the signature is bad or just unverified as to ? Verisign > issues certs to addresses, but they don't verify who you are. For > example, they issues a cert to someone at bob@razler.com, claiming to be > Bob Razler. All they can verify (and all my cert can verify) is that > the mail is coming from bob@razler.com. It doesn't verify that the > person using the address, or the person who purchased the cert is > actually Bob Razler. Len's point is that he and I have signed each other's GPG key (at a PLUG meeting), so we both have the others public key in our key ring signed by our private key. This means that when I see a message signed by Len, I can verify not only that it's signed by the public key I have for him but also that I believe that public key comes from him. He's saying the first half of that is breaking, while you're suggesting the second half is broken. (A bad signature means that the public key/message pair doesn't match with the signature on the message, created by a private key/message pair on the other end.) -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpboubEKM2GS.pgp
|
|