[tor-talk] PGP and Signed Messages,
Josef 'veloc1ty' Stautner
hello at veloc1ty.de
Fri Feb 19 12:45:22 UTC 2016
Hi,
this is a basic problem of PKI - is the key the correct one to use.
There is nothing to stop you from copying for example my key
information. That's why you need to check the received key over another
channel. For example I put my fingerprint on my website and it's also on
my business card.
A second way is looking at the signatures from other users thus it's not
the best method for validating an identity.
~Josef
Am 19.02.2016 um 13:34 schrieb Nathaniel Suchy:
> I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign
> a message. However how do we know a key is real? What would stop me from
> creating a new key pair and uploading it to the key servers? And from there
> spoofing identity?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20160219/9dc28c90/attachment.sig>
More information about the tor-talk
mailing list