Samuel Tardieu <sam@debian.org> writes: > On 28/06, John H. Robinson, IV wrote: > > | http://people.debian.org/~jaqque/keysign.html > | > | it does have some weaknesses, but it is a lot stronger than the ``oh, > | i've met you, i have checked your ID, and off we go'' What additional security does this protocol offer over simple ID checking? IOW, what problem does it solve? > It has an enormous flaw: you do not sign a key, you sign an id. Indeed. And I usually consider the e-mail not part of the signed data (although, technically it is). It would be good to have make that explicit by having one uid on the key without e-mail. I'd sign just that, and - frankly - I'm not that interested in whether the e-mail is signed by anybody besides the owner of the key. -- Robbe
Attachment:
signature.ng
Description: PGP signature