Re: PGP Key Signing HOWTO: preparation for Linux Expo

[Manoj Srivastava <srivasta@debian.org>]

Hi,
>>"Joseph" == Joseph Carter <knghtbrd@debian.org> writes:

 Joseph> It does matter.  You have to be certain.  A person I know
 Joseph> well enough that I would recognize their voice, have seen
 Joseph> their ID, and calling me to verify keyid, size, and
 Joseph> fingerprint is good enough for me (because I have good memory
 Joseph> for what people who are ... um, unique and stand out in my
 Joseph> mind (krooger for his trademark silly hat among other things)
 Joseph> is enough for me if I can be certain it's them, but
 Joseph> otherwise, I need to have met them and be sure.

        Heh. Won't do at all, unless you ask them trick questions that
 only they klnow the answers to. (Voices can be forged well enough to
 fool human ears over a phone line)

 Joseph> Another reasonable way to identify someone who wants a new
 Joseph> key or userid on their old key signed is if they send me a
 Joseph> message signed by their current key (which has my signature)
 Joseph> with the new one and a request..  This is good if you've got
 Joseph> an old email address that is no longer valid (my earthlink
 Joseph> address) and you'd like it removed.  Note this is not easy to
 Joseph> do with PGP at the moment.

        Umm, that assumes that the person asking you for the new sig
 is not really a identity thief that has gotten hold of the old PGP
 pass phrase.

        I generally ask for two forms of ID, but even that is not
 perfect (nothing is).

        manoj
-- 
 Q: Why haven't you graduated yet? A: Well, Dad, I could have finished
 years ago, but I wanted my dissertation to rhyme.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E