Always Sign Your PGP Public Key
Here's how the attack works. I take your unsigned public key, and (using a suitably powerful editor, such as Emacs) I edit the userid string so that it still has your name but my email address on it. Then I distribute this modified key widely. Note that the modified key continues to have the same key fingerprint as the unmodified key, so it appears to be your key to all who do not know your email address
No comments:
Post a Comment