[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GPG Key Signing

Samuel Tardieu <sam@debian.org> writes:

> On 28/06, John H. Robinson, IV wrote:
> | http://people.debian.org/~jaqque/keysign.html
> | 
> | it does have some weaknesses, but it is a lot stronger than the ``oh,
> | i've met you, i have checked your ID, and off we go''

What additional security does this protocol offer over simple ID
checking? IOW, what problem does it solve?

> It has an enormous flaw: you do not sign a key, you sign an id.

Indeed. And I usually consider the e-mail not part of the signed data
(although, technically it is). It would be good to have make that
explicit by having one uid on the key without e-mail. I'd sign just
that, and - frankly - I'm not that interested in whether the e-mail is
signed by anybody besides the owner of the key.


Attachment: signature.ng
Description: PGP signature

Reply to: