Linux Journal: The High-Tech How Not to be Seen, Part 4Nov 29, 1999, 22:42 (0 Talkback[s])
(Other stories by Marcel Gagné)
"When we left our current topic last week, some niggling little questions remained. We could come up with a number of examples, but essentially it comes down to this one simple question: "How can I trust the source of a public key?" All right, two questions. The other is, "If we're all sending signed and encrypted data, how can I possibly verify every key on every web site or keyserver?"
"Suppose you work for Megacorp InterUniversal Inc., and corporate policy says that all company e-mail must now be signed and encrypted for it to be accepted by the system. Lately, your competitor, UltraCorp MultiDimensional, has been trying to finagle information from employees via bogus e-mails. No problem; your public keys are posted on a keyserver so anyone can send you encrypted e-mail. The problem is that MegaCorp has 23,000 employees and business contacts. Again, how can you possibly verify all those signatures?"
"In essence, that's the idea behind companies like VeriSign and GlobalSign. They provide a certificate signing authority that validates public keys. Whenever you visit a web site that runs a secure web server (SSL), that server will present your browser with a certificate generated by that site. Normally, you do not see this exchange at all. That's because Netscape (and Internet Explorer) employ various top-level signatures from trusted certificate authorities to basically say, "Yes, that's a good signature. You don't need to bother the user with this one." The question of trust has already been answered for you."
0 Talkback[s] (click to add your comment)