In other words, if the sha matches, then it wasn’t corrupted during downloading. If the signature matches, then it wasn’t tampered with before you downloaded it.
There’s also a third check. Even if the certificate signature is valid, you have to have confidence that the certificate is authentic and trusted to be from the original author. This is usually done by having a trusted third party sign the certificate with another, more trusted, certificate.
really its just different trust root authorities presuming we are still talking pk distribution infra involved here. alice and bob can of course always trade keys in other ways. if its distributed you have to root trust with a ledger (trust area: key ceremony, consensus protocol) or a CA (trust area: the CA chain, every step is another element of trust)
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
In other words, if the sha matches, then it wasn’t corrupted during downloading. If the signature matches, then it wasn’t tampered with before you downloaded it.
There’s also a third check. Even if the certificate signature is valid, you have to have confidence that the certificate is authentic and trusted to be from the original author. This is usually done by having a trusted third party sign the certificate with another, more trusted, certificate.
really its just different trust root authorities presuming we are still talking pk distribution infra involved here. alice and bob can of course always trade keys in other ways. if its distributed you have to root trust with a ledger (trust area: key ceremony, consensus protocol) or a CA (trust area: the CA chain, every step is another element of trust)