tor@xxxxxxxxxxxxxxxxxx wrote:
On 23/09/11 16:28, Michael Gomboc wrote:OK, I guess I know too less about PGP. So, if someone does not have the private key, they cannot provide the right signature. So even if you download the signature and the file from a fake page, you would notice by checking the authenticity. Is that right?That is correct. For example, I have signed this email with my private pgp key. I am the only person with access to that private key. The corresponding public key is available on the Internet for anyone to download, in several places. Anyone who has my public key can verify that this email was signed by me, and that it hasn't been tampered with. This is the same process used to sign Tor.
This is correct as far as it goes. You can verify that the software that was download was signed with a particular private key. The problem is knowing whether that key, in fact, belongs to the Tor Project. torproject.org does list the key they use on their web site. The problem then returns back to knowing if the web page you are looking at to verify the key is the real one or a fake. Which I believe is where the OP began. How does he know if the web page is correct when he cannot trust the SSL certificate.
I seem to recall that one of the people from the Tor Project stated that some browsers now have the correct Tor Project SSL certificate "baked into them". I don't have the time to go looking for that right now but perhaps somebody can refresh all of our memories? Regards, Jim _______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk