If "B" signs a message that is sent to "C", but "C" only has "A"s public key, can "C" verify "B"s message without asking for "B"s public key?
Just so I'm understanding the question correctly, we're talking about some sort of signature where you can decode it by using that user's public key, correct?
Thus you somehow have to have B's signature, which was encrypted with B's private key, become unencrypted by something other than B's public key?
That seems to be against the very idea of how a signature is supposed to work. But maybe I'm missing something in the question.
So I thought I'd ask a PGP question.
Lets say I have 3 PGP users "A", "B" and "C".
B sends A their public key, which A signs and returns.
Now "B" and "C" dont have each other's public keys, but they do have "A"s.
If "B" signs a message that is sent to "C", but "C" only has "A"s public key, can "C" verify "B"s message without asking for "B"s public key?
I thought the answer was yes, but I'n not sure now...
No, no decoding, nor encryption involved. With PGP, you can "digitally sign" a piece of text, that somebody can verify with a public key.
This is where the idea of a pgp key repository comes in. Perhaps the most famous is the one operated by mit at:
https://pgp.mit.edu
If you go to that site, you're able to submit your own public key & look
up the public keys of others.
Of course for this to work all parties involved would need to be using the same repositor(y|ies).
No, no decoding, nor encryption involved. With PGP, you can "digitally sign" a piece of text, that somebody can verify with a public key.
of my certificate. (The difference is, you also get my public
certificate, so I may have answered my own question...)
Since PGP is inherently peer to peer, there's no central authority that controls it. You would need a directory or listing of other people's public keys.
If you didn't want to use a repository, you would then need to make sure each client had each other's public key locally.
Perhaps I'm still not following, but my understanding of a PGP signature is that I encrypt something (generally a hash) using my private key, and then you decrypt it using the public key and see if it matches that something.
Re: Re: PGP question
By: Adept to alterego on Mon Jun 08 2020 08:22 pm
Perhaps I'm still not following, but my understanding of a PGP
signature is that I encrypt something (generally a hash) using
my private key, and then you decrypt it using the public key
and see if it matches that something.
With PGP, you can choose to encrypt something - so that only the
receipent can see it, or you can choose to sign something - which
proves you are the only person that sent it.
When you "sign" it does not have to be encrypted. IE: I can clear
sign a piece of text, that anybody can read, but the signature
below it will only be validated with my public key, prooving it
came from me.
When you "sign" it does not have to be encrypted. IE: I can clear sign a piece of text, that anybody can read, but the signature below it will
only be validated with my public key, prooving it came from me.
I'm pretty sure Adept is right here, a signature (the little bit down
the bottom) is an encrypted hash of the message, which has been
I'm pretty sure Adept is right here, a signature (the little bit down
the bottom) is an encrypted hash of the message, which has been
encrypted using the private key so it can be decrypted with the public
key and that's how verification of the (unencrypted) message works.
So the only value of cross-signing keys is to increase trust (of the public key). IE: If Alice and Bill signed Cindy's key, and I receive something from Cindy it must be Cindy (not somebody protending to bre Cindy) becase I know Alice and Bill and trust them...
(But Cindy also needs to give you her cross signed public key by Alice
and Bill right?)
On 09 Jun 2020, alterego said the following...
I met a couple of people in a downtown coffee shop & we all showed
each other our drivers licenses (this was before smartphones, so
there was no risk of them taking a picture of the ID), we had a
coffee and a few hours later I got an email saying they had signed
my key, and I signed theirs.
Sysop: | Nelgin |
---|---|
Location: | Plano, TX |
Users: | 606 |
Nodes: | 10 (2 / 8) |
Uptime: | 82:05:08 |
Calls: | 9,644 |
Calls today: | 14 |
Files: | 16,067 |
Messages: | 1,064,391 |
Posted today: | 5 |