[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP Key Signing HOWTO: preparation for Linux Expo



On Thu, Apr 29, 1999 at 05:14:46PM -0500, Manoj Srivastava wrote:
>  Joseph> Another reasonable way to identify someone who wants a new
>  Joseph> key or userid on their old key signed is if they send me a
>  Joseph> message signed by their current key (which has my signature)
>  Joseph> with the new one and a request..  This is good if you've got
>  Joseph> an old email address that is no longer valid (my earthlink
>  Joseph> address) and you'd like it removed.  Note this is not easy to
>  Joseph> do with PGP at the moment.
> 
>         Umm, that assumes that the person asking you for the new sig
>  is not really a identity thief that has gotten hold of the old PGP
>  pass phrase.

I'm not sure you're understanding what I'm describing ...  In this case
it is my @debian email address which I added to my key because my
@earthlink address is long ago defunct.  If you've already signed the old
email addres, signing the new one doesn't change much.  This is probably
an argument against including email addresses in PGP keys, but what can I
say?


>         I generally ask for two forms of ID, but even that is not
>  perfect (nothing is).

Paranoia is in general a good thing.  =>

--
Joseph Carter <knghtbrd@debian.org>            Debian GNU/Linux developer
PGP: E8D68481E3A8BB77 8EE22996C9445FBE            The Source Comes First!
-------------------------------------------------------------------------
* Overfiend ponders doing an NMU of asclock, in which he simply changes
  the extended description to "If you bend over and put your head between
  your legs, you can read the time off your assclock."

<doogie> Overfiend: go to bed.

Attachment: pgpKIxmIgDTKI.pgp
Description: PGP signature


Reply to: