Hi, this is a basic problem of PKI - is the key the correct one to use. There is nothing to stop you from copying for example my key information. That's why you need to check the received key over another channel. For example I put my fingerprint on my website and it's also on my business card. A second way is looking at the signatures from other users thus it's not the best method for validating an identity. ~Josef Am 19.02.2016 um 13:34 schrieb Nathaniel Suchy: > I've noticed a lot of users of Tor use PGP. With it you can encrypt or sign > a message. However how do we know a key is real? What would stop me from > creating a new key pair and uploading it to the key servers? And from there > spoofing identity?
Attachment:
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk