Forum for the FireGPG's extention. (!Don't post too links or wait we unban your, akismet is very aggressive)
You are not logged in. Please login or register.
I've noticed that the verification solely provides you with a name and e-mail address, however it would take about 10 seconds to spoof just this (attacker could just as easily make a new key with the same name and email, alter message, and re-verify with that.) I think you need to add the fingerprint data to make sure that the verification is authentic, it's much more difficult to spoof that.
I don't unterstand very well....
Simply when verifying, why not provide the key fingerprint (mine's A3855D9B) in addition to simply the name and address to prevent key spoofing?
It might be an OK idea to show the ID, but creaturex is wrong to say that it could be spoofed. The way GPG works is that you have to import public keys into your keyring. It relies on you only importing keys that you trust, showing the ID doesn't help at all in this.
Apart from that you should NOT import keys with Firefox, but through your keyring manager, whatever that is. This process should remain totally outside Firefox.
@melianor : Why not ?
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 2 official extensions. Copyright © 2003–2009 PunBB.