On Thu, Jul 29, 1999 at 01:58:15AM -0500, Manoj Srivastava wrote: > Buddha> It seems that there is a missing step -- verification that I > Buddha> know "John Smith"'s private key. Without that, you are > > How can you know someone's private key? (A nit: In any case, > you don't sign a private key -- you sign a public key). I think you may have missed the point. You need to be sure that you are signing the *correct* public key, and not just any public key that happened to be created with "John Smith"'s id (which is publicly known). ie it is not much point a public key for "John Smith" if "John Smith" doesn't have the private key. Somebody may have replaced a copy of the correct key with a "forged" key along the way. You (as the signer) needs some way to verify that "John Smith" really does have the private key before signing the public key. Of course, I have never attended a key signing meeting, so I don't know how/if this checking is usually done. I think the usually way is to check the fingerprint of the key. Come to think of it, I don't think anybody asked for my key fingerprint when I become a Debian maintainer... (I may be mistaken though). -- Brian May <bam@snoopy.apana.org.au>
Attachment:
pgptz5qj5Akm6.pgp
Description: PGP signature