Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
- To: "Giacomo A. Catenazzi" <cate@debian.org>
- Cc: debconf-discuss@lists.debconf.org
- Subject: Re: [Debconf-discuss] Call for keys for keysigning in Edinburgh during DebConf7
- From: Wouter Verhelst <wouter@debian.org>
- Date: Sun, 3 Jun 2007 11:49:16 +0200
- Message-id: <[🔎] 20070603094916.GA5222@grep.be>
- In-reply-to: <465EEEFA.6090304@debian.org>
- References: <874pmm977d.fsf@glaurung.internal.golden-gryphon.com> <20070521130131.GA22548@zoy.org> <874pm5ep7a.fsf@glaurung.internal.golden-gryphon.com> <20070522161904.GH22548@zoy.org> <20070522192409.GP8659@kheops.homeunix.org> <4654107A.9050503@hands.com> <20070530234813.GA19644@grep.be> <87wsyprqek.fsf@glaurung.internal.golden-gryphon.com> <20070531151317.GA10931@piper.oerlikon.madduck.net> <465EEEFA.6090304@debian.org>
On Thu, May 31, 2007 at 05:51:22PM +0200, Giacomo A. Catenazzi wrote:
> I really see few people that check identity AND the email (people tend
> to sign all key-identity of a key).
That's wrong.
> How to do this check in a reliable and completely secure way?
> (I think that a man on the middle attack is always possible).
Send an encrypted mail to the email address that contains the signature
*for that address only*. The 'caff' script in the signing-party package
will automate this for you.
--
Shaw's Principle:
Build a system that even a fool can use, and only a fool will
want to use it.
Reply to: