> Isn't a wiki an inherently bad place to post a PGP key? There would be no harm in posting a public key on any website anywhere. In fact, public keys are supposed to be freely distributed and should be made as widely available as possible. It's the secret key that's supposed to remain, well, secret.
> It is clear that I don't understand the nuances of cryptographic key > signing. Perhaps you should read up on public key encryption. http://en.wikipedia.org/wiki/Public_key_encryption http://en.wikipedia.org/wiki/Man_in_the_middle_attack > I thought that > the purpose of the PGP key was to verify that the packages downloaded > are: > a) the correct packages > and > b) downloaded without error. You do use the public key to verify that the authenticity of the software being downloaded, but someone else's public key cannot be used to verify the signature done with a different secret key... you need to use the public key that corresponds to the secret key used to do the actual signing. So in your example, if the public key were put on the wiki and then someone replaced it with a different public key, and you relied upon this other key, your computer would throw an error after not being able to verify the digital signatures and it would quickly become obvious that something was up. _______________________________________________ gNewSense-users mailing list gNewSense-users@nongnu.org http://lists.nongnu.org/mailman/listinfo/gnewsense-users
