On Thu, Apr 29, 1999 at 05:14:46PM -0500, Manoj Srivastava wrote: > Joseph> Another reasonable way to identify someone who wants a new > Joseph> key or userid on their old key signed is if they send me a > Joseph> message signed by their current key (which has my signature) > Joseph> with the new one and a request.. This is good if you've got > Joseph> an old email address that is no longer valid (my earthlink > Joseph> address) and you'd like it removed. Note this is not easy to > Joseph> do with PGP at the moment. > > Umm, that assumes that the person asking you for the new sig > is not really a identity thief that has gotten hold of the old PGP > pass phrase. I'm not sure you're understanding what I'm describing ... In this case it is my @debian email address which I added to my key because my @earthlink address is long ago defunct. If you've already signed the old email addres, signing the new one doesn't change much. This is probably an argument against including email addresses in PGP keys, but what can I say? > I generally ask for two forms of ID, but even that is not > perfect (nothing is). Paranoia is in general a good thing. => -- Joseph Carter <knghtbrd@debian.org> Debian GNU/Linux developer PGP: E8D68481E3A8BB77 8EE22996C9445FBE The Source Comes First! ------------------------------------------------------------------------- * Overfiend ponders doing an NMU of asclock, in which he simply changes the extended description to "If you bend over and put your head between your legs, you can read the time off your assclock." <doogie> Overfiend: go to bed.
Attachment:
pgpBPD4CoRh7S.pgp
Description: PGP signature