A keyserver is a convenience. Of course it's not magic. Right now I am using K-9 Mail and OpenKeychain on Android. When I received the above message from the list, K-9 Mail informed me that it was signed with a key with fingerprint "0xff80ae9d1dec358d", and referred me to the OpenKeychain app, which searched keyservers and found a matching public key, which I was allowed to import to verify the signature, which I did so successfully.
The fingerprints are some collision-resistant secure hashes, and in theory it is extraordinarily difficult to create another public key with the same fingerprint. I have never met "Werner Koch" personally, but I am about as certain as I can be (under the present scheme of things) that that is the key fingerprint of the person from GnuPG.org who posts to the mailing list, and that there would be quite a bit of noise on the list in case of a mistaken identity. There is a certain "reputation effect" with a public key which in theory obviates the need for in-person verification and secret handshakes. The major difficulties and points of weakness to the whole scheme, in my opinion, are, (a) retaining possession of the private key, and (b) denying others illicit access to the private key. Point (b) is a long-term, seemingly irremediable, problem. The long key lifetimes and the general lack of *Perfect Forward Secrecy* greatly aggravate the risk of a catastrophic total compromise of all data signed with or encrypted to the private key. -- A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. https://www.colmena.biz/~justina/justina.colmena.asc
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
