Re: Do you auto fetch GPG keys?

To: Chris Willard <chris@xxxxxxxxxxxxxxxxx>
Subject: Re: Do you auto fetch GPG keys?
From: Thomas Roessler <roessler@xxxxxxxxxxxxxxxxxx>
Date: Thu, 15 Jun 2006 21:47:26 +0200
Cc: Mutt Users List <mutt-users@xxxxxxxx>
In-reply-to: <20060615192948.GA5292@xxxxxxxxxxxxxxxxx>
Mail-followup-to: Chris Willard <chris@xxxxxxxxxxxxxxxxx>, Mutt Users List <mutt-users@xxxxxxxx>
References: <20060615192948.GA5292@xxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.11-2006-06-13

On 2006-06-15 20:29:48 +0100, Chris Willard wrote:

> From what I understand if I download a key then I know that
> a message I receive has been signed or encrypted by the key
> but I can not be sure that the key is from the person due to
> man in the middle attacks?

When you receive a message that is signed, you can be sure
that it has been signed by that key's holder.

When you send a message and encrypt it with some public key,
you can be sure that it can only be read by that key's holder.

What you don't know in the first place is whether that key
belongs to the person that is identified by the key ID.  In
order to figure that out, you have to either verify the key
directly with your correspondent -- preferably not by e-mail
--, or you may be able to rely on the web of trust, if your
correspondent's key is signed by people you trust, and whose
keys you know.

> Any opinions on these would be appreciated as I am not sure
> to download keys or not at the moment!

Download all the keys you can find.  But don't trust signatures
unless you have verified who the holder of the signing key
*really* is.

-- 
Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.

References:
- Do you auto fetch GPG keys?
  - From: Chris Willard

Prev by Date: Do you auto fetch GPG keys?
Next by Date: Re: Do you auto fetch GPG keys?
Previous by thread: Do you auto fetch GPG keys?
Next by thread: Re: Do you auto fetch GPG keys?
Index(es):
- Date
- Thread