Re: PGP and verifying ids / emails
Hi,
>>"Brian" == Brian May <bam@snoopy.apana.org.au> writes:
Brian> You need to be sure that you are signing the *correct* public
Brian> key, and not just any public key that happened to be created
Brian> with "John Smith"'s id (which is publicly known).
When I sign a key, I have am standing in front of John Smith,
who has conviinced me it is indeed John Smith (using 2 picture
ID's). He then asks me to sign a key -- I assume he is giving me a
public key whose private key he has (what is the point otherwise?).
I do verify that the ID on the key matches the ID that was
shown to me.
Brian> ie it is not much point a public key for "John Smith" if "John
Brian> Smith" doesn't have the private key.
Why is he asking me to sign it then?
Brian> Somebody may have replaced a copy of the correct key with a
Brian> "forged" key along the way.
Without John Smith knowing? I hope no one is that incompetent.
Brian> You (as the signer) needs some way to verify that "John Smith"
Brian> really does have the private key before signing the public
Brian> key.
How does one do this?
Brian> Of course, I have never attended a key signing meeting, so I
Brian> don't know how/if this checking is usually done. I think the
Brian> usually way is to check the fingerprint of the key. Come to
Brian> think of it, I don't think anybody asked for my key
Brian> fingerprint when I become a Debian maintainer... (I may be
Brian> mistaken though).
This is quite confused. The fingerprint is of the public key
(or else how do you check it? No one should be giving anyone a look
at the private key at all).
I think you are missing something. See, I meet John Smith. He
shows me photo-ID. He gives me fingerporint of his *public* key. I
download key from key server, and check the finger print. I check the
ID matches the photo ID's I saw. I sign just that ID. Now tell me
again, how short of forging two picture ID's, there is a flaw in
this.
manoj
--
The meta-Turing test counts a thing as intelligent if it seeks to
devise and apply Turing tests to objects of its own creation. Lew
Mammel, Jr.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
Key C7261095 fingerprint = CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
Reply to: