[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning without physically meeting ... thoughts?

On Sat, Jun 11, 2005 at 11:17:21PM -0700, Steve Langasek wrote:
> > What are we setting out to achieve?
> - To verify that the person so identified controls a specific email address

What does 'control' mean here? Given this:

> Many people consider all of options a), b), and c) to be inappropriate, and
> will instead encrypt each of the uid signatures individually and mail them
> to the corresponding email address, to verify that you control each address.

I presume that you just mean 'is capable of receiving mail sent to the
address', but that is anybody at all with an internet connection and a
copy of woody, which contains all you need to capture other people's
mail. I'm not sure why you're bothering to verify that the person so
identified falls into this group.

Mail delivery is nothing remotely resembling secure. That's why we
need keys in the first place (and all you people waving smtp-tls
around, go back and think about how useful that's going to be without
signing keys).

(I can't even be bothered to start laughing at the idea of encrypting
signatures. That's just too silly even for ridicule).

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

Reply to: