commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Brondsema <d...@brondsema.net>
Subject Re: [PGP] API sketch
Date Mon, 30 May 2005 16:48:43 GMT
robert burrell donkin wrote:
> On Sun, 2005-05-29 at 23:41 -0400, Dave Brondsema wrote:
>
>>It would be useful, I think, to get a keyid from a signature, fetch and
>>update keys from a keyserver, and get names and email addresses from a
>>public key.
>>
>>Just verifying the signature without showing who's key created it (which
>>depends on the above functionality) doesn't do a whole lot of good.
>>Although computing a trust value is what *really* does good.
>
>
> automatically fetching a public key from a server and then presenting
> the name and email from it would need to approached carefully. for
> example, the key may say "Robert Burrell Donkin (CODE SIGNING KEY)
> <rdonkin@apache.org>" but may not be B1313DE2. it would be very unwise
> to trust such a key.
>

Exactly.  It might be best then to only add functionality for getting a
keyid from a signature.  If keyid is added as a member of
SignatureStatus, then the verify* methods are fine how they are.

--
Dave Brondsema : dave@brondsema.net
http://www.splike.com : programming
http://www.brondsema.net : personal
                <><

Mime
View raw message