Re: Keysigning Party, et al...
Clay Crouch wrote:
> Maybe I am wrong, but I do not feel the need to verify the key on disk.
> A disk with UID/Fingerprint pair(s) written on the label, handed to me
> by a person who's ID (DL, Passport, etc) I have seen suffices for me
> to believe that the key(s) contained on the disk is indeed theirs.
> After all, I recieved not just the Fingerprint/ID info for their key,
> but *the_key_itself* from their hand. IMHO, that's 100% surety.
Did they have the disk in their possession from the moment they put the
key on it until they handed it to you? Could it have been replaced with
a similar disk, or altered in that time period? Are you able to take
precautions to ensure these things don't happen from the moment you
receive the disk until you use it?
These are all reasons I'm wary of disks for key-exchange, especially if
one or both parties is traveling to meet the other. I personally like
printed materials (business cards work well). East to keep safely on
your person at all times. Easy to verify before you give to someone
(just print it up in a distinctive way and memorize your key fingerprint).
Easy to mark immediatly when you receive it to ensure it is not replaced
behind your back (just sign it, then put it in your wallet).
Yeah, this is paranoid, but paranoia is a good idea when signing keys,
and can be a fun outlet too. ;-)
see shy jo, who only has part of his new key's fingerprint memorized.