GPG/PGP
14 Oct 2005I spent fifteen minutes figuring the whole GPG thing out today, and, I have to say, it makes lots more sense once you’ve attempted it once. This article from LUG@GT in particular is perhaps the most straightforward piece I’ve ever read on this matter, but that’s dually a comment on the literary capabilities of the F/OSS community as a whole, yet simultaneously an endorsement of the article itself.
The one thing I still don’t quite get is how a message — speaking of emails, here — can be considered as “authentic” as a result of its GPG signature. The signature varies based on the content of the message, and somehow this signature can be considered authentic. Published or not, I still struggle to see how a message can be authoratively considered authentic or otherwise based on a public authentication method seemingly in a state of flux. Perhaps the message content when compared against the key yields the email address and name, against which the message is compared?
If so, in the page linked to above there is (another link to) a full public key not represented in the email message that is supposedly authenticated… not even in its abbreviated hex form (or whatever the heck (hex? :p) 0x426B3C19 is meant to represent — that’s my public key, by the way.)
Anyone who knows how this stuff works got a better/clearer explanation for me? I can understand or at least interact with the encryption side of things without difficulty… I just struggle to see how this signature can be in any way meaningful, when it changes whilst supposedly representing some constant. I’ve proposed a possibility in this post, of course, but I can’t prove it… maybe that’s what the Comment field GPG offers is for? Skeptics like me?