Re: digital signature

["Matthew Gillen" <user=50@nabble.blu.org>]

 Stephen Adler wrote: 
> To do this right, I believe, I want to get a key pair which is 
> registered with a 3rd party registry like verisign or 
> networksolutions.com or something like that. Is this not so? Say I 
> sign a document with a self generated key pair, how does a third party 
> know that the signature came from me and not someone posing as me who 
> generated their own pair of keys? 
As Dan pointed out, you build a web of trust, using the standard methods: 
 - distribute your key (or at least the fingerprint for later 
verification of your key) when you meet people in person (sneakernet) 
 - POTS (ie have them read off the fingerprint of your public key over 
the phone to you) 
 - Post it on your business web site (generally thought to be less 
secure than the first two, although if people get your phone number from 
your website...) 
 - if it's really important, hire a courier. 

> If I do need to go through the 3rd party registry route, who should I 
> use? 
You could probably do a hell of a lot better than the standard practice 
today (ie no verification beyond the "From" header in an email) without 
going overboard with air-tight verification.  It's really a matter of 
how far you want to move the slider from "easy to use, but no 
verification" to "it would almost be easier to fly there and deliver the 
document in person".   For business, you probably don't want to go too 
far toward the latter, lest it get in the way of things you're getting 
paid to do (unless verification is something the client is really 
interested in or knowledgeable about). 

Matt 



-- 
This message has been scanned for viruses and 
dangerous content by MailScanner, and is 
believed to be clean. 

_______________________________________________ 
Discuss mailing list 
[hidden email] 
http://lists.blu.org/mailman/listinfo/discuss