[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Migrating to GPG - A mini-HOWTO

Paul Slootman <paul@wau.mis.ah.nl> writes:

> How do you prove to whoever is able to erase the package that you
> are who you say you are? I.e. how do you convince them that they
> should in fact erase the package? 

You do that by sending them a message signed with a new key, that you
have had signed by someone else.  As long as people don't adopt the
``I'll sign anything you like, once I've met you once'' attitude, this

To address the ``If you trust it for anything, you should trust it for
everything'' argument, lets try to draw an analogy in the real world:

  Lets say you are a bank manager, and you have a list of all your
  customer's signatures (which are difficult to forge).

  Customer A sends you a signed letter, instructing you to transfer
  100.00 to another person's account.

  Customer B mails you a signed letter saying that they have had
  plastic surgery, and changed their name, and not only do they want
  you to transfer all future control of the account into this new
  name, but they also want you to sign an affidavit saying that you're
  sure that these two names apply to the same person.

  I think you're quite likely to do as requested by ``A'', but will
  request that customer B come in, in person, with all required
  documentation to prove their claims, before doing what they asked.

If any of the people reading this treat key signing any less seriously
than signing such an affidavit, then please speak up so that the rest
of us can tell PGP/GPG that your signatures are proof of nothing much.

Cheers, Phil.

Reply to: