On 23/09/11 16:28, Michael Gomboc wrote: > OK, I guess I know too less about PGP. So, if someone does not have the > private key, they cannot provide the right signature. So even if you > download the signature and the file from a fake page, you would notice > by checking the authenticity. Is that right? That is correct. For example, I have signed this email with my private pgp key. I am the only person with access to that private key. The corresponding public key is available on the Internet for anyone to download, in several places. Anyone who has my public key can verify that this email was signed by me, and that it hasn't been tampered with. This is the same process used to sign Tor. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk