So, how does someone downloading my library know that it's signed by me, not just signed by anyone who figures out how to run PGP and type a name? Because the same signature is used in other places, so the consumer "gets to know" that person.
Well, thats not how a digital signature works if digital signatures in s/mime (my only experience) are anything to go by. We dont know that your signature is real until we can do two things, first determine if the signature was generated from a trusted root authority and second determine if the primed checksum (be it md5 or sha dat de da..) is correct for the payload carried. By primed I mean that only someone who knows the private key could have generated that checksum for that data. Having passed these checks we would assume that both the payload actually comes from you and that it is what you and only you meant to send.
So if I want to send you something I take my private key use it to prime my checksum and then post my public key and checksum for said document, basically the same process of encrypting but I dont change the data.
Anyway, I suppose i've missed the point, but isn't all of this what SSL (https) and brethren are for?
Yves
--
You are not ready to use symrefs unless you already know why they are bad. -- tadmc (CLPM)
In reply to Re: Digital Signatures on Web Pages
by demerphq
in thread Digital Signatures on Web Pages
by John M. Dlugosz
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |