<<< Date Index >>>     <<< Thread Index >>>

Re: Do you auto fetch GPG keys?



On 2006-06-15 20:29:48 +0100, Chris Willard wrote:

> From what I understand if I download a key then I know that
> a message I receive has been signed or encrypted by the key
> but I can not be sure that the key is from the person due to
> man in the middle attacks?

When you receive a message that is signed, you can be sure
that it has been signed by that key's holder.

When you send a message and encrypt it with some public key,
you can be sure that it can only be read by that key's holder.

What you don't know in the first place is whether that key
belongs to the person that is identified by the key ID.  In
order to figure that out, you have to either verify the key
directly with your correspondent -- preferably not by e-mail
--, or you may be able to rely on the web of trust, if your
correspondent's key is signed by people you trust, and whose
keys you know.

> Any opinions on these would be appreciated as I am not sure
> to download keys or not at the moment!

Download all the keys you can find.  But don't trust signatures
unless you have verified who the holder of the signing key
*really* is.

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.