How To Verify the Public Key
- It is posted on the arbores.ca website linked from the main
page
- search for my email at:
subkeys.pgp.net
by typing in my email address
- I have digitally signed
my picture [bryan.jpg]
and posted the signature here [bryan.jpg.asc].
The signature will only verify if you have my
correct public key. To verify the signature:
- Download and install GnuPG.
I like the Cygwin environment
and there is a GnuPG (gpg) package available for it.
For MS-Windows users, try
Gpg4win.
Note that Gpg4win has a plugin for the MS-Outlook 2003 email
program you can use to do email validation/encryption.
-
Save my picture and the signature file in a temporary directory.
-
Using GPG at the command line, type
gpg --verify bryan.jpg.asc
-
Confirm that the output from gpg says "Good signature"
-
Use my public key to exchange signed and/or encrypted messages with
me :-)
How Secure Is It?
A miscreant would have to do the following to fool you into trusting another
public key for me:
- Make a complete copy of my website
- Make the Domain Name Service (DNS) redirect your web browser to the fake
site
- Generate a fake key pair
- Sign my picture again
- Pretend to be me and send you and all my contacts about the new key
- Get my contacts to use the new key in signed/encrypted messages
Of course, (s)he would have to this without you and me noticing when we
exchange emails. Message signatures would start failing and encrypted
information would fail to decrypt properly.
So, while all is possible it is extremely unlikely that someone
would be able to submit a false public key for me. And if they succeeded, what
do I have they might steal? :-)
![my picture [bryan.jpg]](/images/bryan.jpg){kind=link}
![here [bryan.jpg.asc]](bryan.jpg.asc){kind=link}