commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <>
Subject Re: [PGP] API sketch
Date Mon, 30 May 2005 16:48:43 GMT
robert burrell donkin wrote:
> On Sun, 2005-05-29 at 23:41 -0400, Dave Brondsema wrote:
>>It would be useful, I think, to get a keyid from a signature, fetch and
>>update keys from a keyserver, and get names and email addresses from a
>>public key.
>>Just verifying the signature without showing who's key created it (which
>>depends on the above functionality) doesn't do a whole lot of good.
>>Although computing a trust value is what *really* does good.
> automatically fetching a public key from a server and then presenting
> the name and email from it would need to approached carefully. for
> example, the key may say "Robert Burrell Donkin (CODE SIGNING KEY)
> <>" but may not be B1313DE2. it would be very unwise
> to trust such a key.

Exactly.  It might be best then to only add functionality for getting a
keyid from a signature.  If keyid is added as a member of
SignatureStatus, then the verify* methods are fine how they are.

Dave Brondsema : : programming : personal

View raw message