From: dmandl@lehman.com (David Mandl)
Date: Fri, 29 Oct 93 12:04:04 PDT
To: jdblair@nextsrv.cas.muohio.edu
Subject: Re: signing messages
Message-ID: <9310291859.AA09570@disvnm2.lehman.com>
MIME-Version: 1.0
Content-Type: text/plain


> How does one sign a message w/ PGP when one doesn't have the public key of a
> recipient?  Example: when a key is signed to authenticate it, or when the
> source code for PGP is signed to authenticate it.
> 
> Forgive me if this is a stupid question.
> -john.

There are no recipients necessarily involved.  A signature with your
secret key is proof that the message (or file) came from you.  Anyone
with your public key can confirm its authenticity.  If you want to
sign someone's public key, you obviously need their key, but otherwise,
signing something involves only you and no one else.  (Many people's
public keys are on the public key servers, so that's a good place to
look if you need to find someone's key.  See the document <keyserv.doc>
in the PGP package for more information about the servers.)

If you want to sign a message intended for one person only, you sign
it and then encrypt with their public key.

   --Dave.