Re: PGP Key Signing HOWTO: preparation for Linux Expo
Hi,
>>"Joseph" == Joseph Carter <knghtbrd@debian.org> writes:
Joseph> It does matter. You have to be certain. A person I know
Joseph> well enough that I would recognize their voice, have seen
Joseph> their ID, and calling me to verify keyid, size, and
Joseph> fingerprint is good enough for me (because I have good memory
Joseph> for what people who are ... um, unique and stand out in my
Joseph> mind (krooger for his trademark silly hat among other things)
Joseph> is enough for me if I can be certain it's them, but
Joseph> otherwise, I need to have met them and be sure.
Heh. Won't do at all, unless you ask them trick questions that
only they klnow the answers to. (Voices can be forged well enough to
fool human ears over a phone line)
Joseph> Another reasonable way to identify someone who wants a new
Joseph> key or userid on their old key signed is if they send me a
Joseph> message signed by their current key (which has my signature)
Joseph> with the new one and a request.. This is good if you've got
Joseph> an old email address that is no longer valid (my earthlink
Joseph> address) and you'd like it removed. Note this is not easy to
Joseph> do with PGP at the moment.
Umm, that assumes that the person asking you for the new sig
is not really a identity thief that has gotten hold of the old PGP
pass phrase.
I generally ask for two forms of ID, but even that is not
perfect (nothing is).
manoj
--
Q: Why haven't you graduated yet? A: Well, Dad, I could have finished
years ago, but I wanted my dissertation to rhyme.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: