Will Lowe wrote: > > On Fri, 9 Jan 1998, Tim Thomson wrote: > > > I know why you would want to use it to send encrypted messages, but why do > > you want to sign your messages? > Well, we use it to sign other things. Like, for example, when I upload > a new debian package, I sign it so that the people who run ftp.debian.org > (and eventually you) know that that package really came from me -- I put > my name on it, so I'd like to make sure noone's releasing stuff under my > name without my authorization. By the same token, you'd like to make > sure that I'm the person who did it, so that if there's a bug, or if it > releases some horrible plague on your computer, you can get ahold of me. > :)
Something that might be less obvious is the fact that signing a message not only authenticates the author (assuming your signature, or public key, is available for someone to use for this purpose) of a message or piece of code, but it also allows one to authenicate the content of the message or code. Public key encryption like PGP would allow the same thing to a limited number of users for an encrypted message, but if, using the same example, I want to post to a newsgroup and I want to make sure that what I post is not altered in some way, I could sign it, and then anyone who was interested could verify that the content that appears on the group is what I actually posted (once they get my public key). Same goes for that code example... anyone who hacks the code between the source and desitination would not be able to create an authentic signature for the new content, so that the recipient could (should) authenticate the message for content and author (or signer, actually), then decide if the content is what it was when it was posted or sent, and that the author or signor is trustworthy. It's all very cool... Check out Applied Cryptography, by Bruce Schneier, John Wiley & Sons, Inc 1996, as it is pretty much THE text on this sort of thing. There are many web sites as well. > Some people just have pine set up to auto-sign everything. If I recall correctly, there are cases where one shouldn't sign something. If I can remember any, I'll post 'em... Hopefully, nothing changed in this message. -dh -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .