PGP does this verification--how could it possibly do this?
The .sig was created from the .zip file by a numeric
calculation that incorporates each and every byte in the .zip file called
a digest. The mathematics of the digest is such that it is nearly
impossible to create some other file that has the same digest. Then the .sig
file is computed from the combination of the digest and WriteLogSales
key--but not the key that you get publicly. That public key is only half
of a key pair, and the WriteLog team has the private half. The computation
that produces the .sig file uses the digest and the private half of the
WriteLogSales key. The "magic" of the public key encryption
system is that you (using the PGP software, for example) can use the key's
public half to computationally determine that the .sig file was generated
using the key's private half. Since I am the only person that has access
to the private half, you can be sure I created the .sig. And since the
digest matches the digest of the .zip file, and it is nearly impossible to
create an alternative file with a matching digest, then you can be quite
sure that the .zip file came from me.
no magic answer
This security feature being offered by the WriteLog team to its customers
is about the only one we can use without adding a substantial cost to
delivering the product. Another method that would work at low cost, but
does not currently exist, is if there were a third party that is trusted
by both you, the customer, and by the WriteLog team. If that third party
had a public key/private key pair (which we both trusted), and if that
third party had reason to believe my signature (i.e. WriteLogSales.asc) is
authentic, then that third party could provide a secure way for the two of
us to communicate a public key. For example, I live in Texas and I have to
physically appear in person once per decade at the Drivers' License office
in order to get a license. If the state decided to provide such a service,
the state and I could do a simple digital transaction at that time that
would give me a private key/public key pair, and the state could publish
the public half in a public directory that guarantees
that W5XD showed up on that day and that place and was issued that key.
The "meaning" of such a key, would simply be that "the
state of Texas asserts that W5XD exists to the extent that we saw him and
his birth certificate on such-and-so date and took his picture". Note that the driver's
license issued to me by Texas also attests to pretty much the same facts
(along with any results of vision and driving tests) and not much more.
Finally, if you also happen to trust the state of Texas' opinion about whether
or not W5XD exists, then you could trust their directory entry for the public key
for W5XD and you would not need to worry about whether the one you
download from writelog.com is authentic. This whole process doesn't sound
quite as silly if you consider the possibility of its opposite--there is
no government entity that knows whether your software vendor exists or
not, whether they made up their name and address, or whether they can be
found if they do something you don't like.
never is a very
long time.
There are circumstances where you might have to give up on the public
key that you once thought was secure. The first one is that I might
somehow lose the corresponding private key. If I only have a copy on one
computer and that computer is destroyed without a backup, then I am no
longer able to create .sig files that your PGP will accept. So we will
have to start over with the process of building our confidence
relationship. Another way I can lose that trust is if a computer
containing the WriteLogSales private key is violated in any way. If I
believe there is a possibility that someone has managed to steal that key,
then no one can be sure that I am the one created the .sig files anymore.
PGP protects the private key with a passphrase to make this kind of loss
more difficult. If a hacker breaks into my computer and steals my PGP key
files, then he doesn' t have my private key yet. He has to also guess my
passphrase before he can start generating .sig files that look like they
are mine.
