Storage internals: UUID

[Daniel Carrera]

On Wednesday, June 13, 2012 at 4:00 AM, Mark Grandi <markgrandi at gmail.com> wrote:
>
> I know how gpg works, sorry if you misunderstood my question, but what happens
> if my commiter email is 'mark at example.com', i create a gpg key with
> that email and sign my commits, now evil bob, also creates a gpg key with my email
> address, and then he can theoretically resign the signature text and it would be valid
> with HIS key, but not mine, im just confused on what happens since the only identifier in
> the signature text is the email,

You say you understand how GPG works, but your question should be more than covered by your previous knowledge and what I wrote in my previous email:  It doesn't matter if the text your are signing has your email. Why would GPG care? The text being signed is not trusted until the signature has been checked. That is the whole *point* of a signature. You also do *not* trust that a GPG key comes from the owner of mark at example.com just because the key claims that it does. That would be absurd.

This is not about Bzr or the testament file. This is something universal that goes to the very point of having GPG signatures. Imagine that you receive a contract from Bill Gates for $100M for some candy. The contract claims to be fro Bill Gates. It certainly has his physical address, email address and signature. It even has a GPG signature that claims to be from gates at microsoft.com... Do you trust it?

This is the whole point of GPG, the web of trust, and everything I wrote in my previous post. You do NOT trust a key until you  have verified it through some alternate channel that you trust enough for your purposes. What channel you deem acceptable is a function of how much security you feel you need.

Anyway, I think that this is getting off topic... Discussions of GPG and how it works probably don't belong in this forum.


Daniel.