On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > I wonder if it is acceptable to sign a key from someone that : > - I meet him personnaly and saw his ID > - I saw him in a public meeting in a specific role (We can consider he > is well known) > - I have a lot of public mails from him that are all signed > But the key makes no references to his name. > In my understanding the ID is useless but I have enough element to > believe he is the guy he said he is. > I understand that if I sign his key I personnaly identify him and it > will be enough for him in regard to the identification part of the NM > process. > Should I sign his key ? Since you're asking the question, I gather you also think there's something not quite right here. When you sign someone's key, you're vouching that the key belongs to who it says it does. That is, you're asserting that you have knowledge of the identity of the person using the key. If the key doesn't have this person's name on it, what *does* it have on it? Is he using a pseudonym? Is he only using an email address? I would not have a problem signing a key that had an email address with no name as a uid; however, such a key is not useful for the NM process: people become Debian Developers, not email addresses. If the key uses a pseudonym, I would not sign it. Have you received a PGP fingerprint from him in person? If not, you don't have any proof that there isn't someone between you and him that intercepts all of his email and re-signs it with a different key. Steve Langasek postmodern programmer
Attachment:
pgpsoDABS4fkv.pgp
Description: PGP signature