I set up a personal email certificate with my name and email using Enigmail and GnuPG in Mozilla Thunderbird. I used Kleopatra to put the certificate on the server.
What I don't understand is that no attempt seems to be made to verify that I'm actually the owner of the account I'm making a certificate for. When you apply for an SSL certificate for a web server, you show by putting a file, DNS record, or something else on the server, or receiving an email on postmaster@your-domain that you actually own the domain.
Then how does signing messages with PGP work exactly? Is there anything to prevent me from signing a message with a different identity? Because if not, what additional security does signing a message provide?
Aucun commentaire:
Enregistrer un commentaire