|
Документ взят из кэша поисковой машины. Адрес
оригинального документа
: http://hea-www.harvard.edu/~fine/Me/pgp.html
Дата изменения: Unknown Дата индексирования: Mon Oct 1 22:53:03 2012 Кодировка: Поисковые слова: п п п п п п п п п п п п п п п п р п р п р п |
Otherwise, in order to verify that this is really my key (i.e. my web pages haven't been compromised), you will need to call me on the phone and verify my fingerprint. When doing this, do NOT get my phone number from elsewhere in my web pages, or from finger information. Instead, find the phone number for The Ohio State University's Information, and call them, and ask them for my phone number.
If you don't know how to get a fingerprint from a PGP public key, please read the manuals that came with PGP.
Note that my own signature alone doesn't verify that this key is mine, only that it hasn't been tampered with by whoever created it (i.e. someone else may have forged this, signed it, and then updated my web page for me.) So if you don't know Steve and don't have his public key, you can't trust my signature alone.
Of course, if you are really paranoid, you'll realize that it is even possible to intercept phone calls intended for me, and still get away with a forgery. They would also have to change any publically available versions of Steve's public key too. You can see that it starts to become unlikely that someone would really go to such lengths. There comes a point where practicality takes precedence over paranoia. Ultimately this is because it is completely impossible to guarantee the identity of anyone. The best you can do is to take reasonable steps to make it highly unlikely that you've been duped.
The best way to verify my identity is to know (and trust) someone that knows me, and can vouch for me (just Steve at this point). Of course, they could always betray that trust (no guarantees, remember?). Failing that, you would hope to meet me in person, face-to-face. Of course this proves nothing. Only that someone was able to forge all the appropriate documents to match their face (and signature, if you want to carry it that far). At the very least, it is psychologically tougher to lie to someone in person than by phone or through email. And you have the benefit of knowing what they look like if it turns out they have lied to you.
You can confirm in a face-to-face meeting that this is the same person you corresponded with through email, with some sort of shared secret, but that secret could be less secret than you think. Even if the secret is safe, you've only confirmed that the stranger you are staring at is the same stranger that you exchanged email with. They could still be lying about their identity.
Makes you crazy, doesn't it? Just remember, the exact same problem existed before cyberspace, and we've gotten along pretty well. Most of the time, people are introduced to us in circumstances that make identity forgery very unlikely (e.g. mutual friend, or a co-worker verified by your employer). So don't get completely paranoid. But also don't blindly trust technology to provide guarantees that can't possibly be provided.
If you have questions, the World Wide Web Virtual Library has a good starting point on Cryptography, PGP, and Your Privacy.