Sean Conner sean at conman.org
Wed Jun 24 23:03:51 BST 2020
- - - - - - - - - - - - - - - - - - -
It was thus said that the Great defdefred once stated:
On Wednesday 24 June 2020 18:32, Case Duckworth <acdw at acdw.net> wrote:
If transmissions are sent in the clear, anyone in the middle (ISP,
malicious actor) can modify any data, including a PGP signature (meaning
a malicious actor could change the PGP signature to their PGP signature,
then impersonate the person). TLS encrypts thetransmission between the
two endpoints, which is the only way to guarantee the message hasn't
been tampered with.
When you are reading pgp signed document from a server where you own a
defined set of public pgp keys, you don't fear MITM attack (the same way
TLS is secure only with a PKI).
The difference is that external PGP signature are all computed only at
document publication time and not on the fly for each user request.
How do you safely get my public key?
-spc