[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

GPG USAGE HOWTO 1 (was: Re: AM report on Thierry Bourrillon)

On Mon, Apr 16, 2001 at 10:12:57PM +0200, Peter Palfrader wrote:
> On Mon, 16 Apr 2001, Ralf Treinen wrote:
> > > > pub  1024D/D94AF6B8 2000-10-17 Thierry Bourrillon <thierry.bourrillon@debian.org>
> > > What is it?
> > It's just the ID that he choose for his key. I told him that his
> > debian address most likely will not look like this. At that time
> > (when I signed his key) I didn't care since he can generate (and
> > submit to the keyring) as many subkeys as likes.
> In other words you signed an ID that was not owned by the owner
> of the secret key. Not good imho.

It's terrible what you people here call keysigning, and keysign
checking. You are using --list-sigs and not --check-sigs, --list-sigs
DOES NOT CHECK ANYTHING. And that other guy signs a UID that's
invalid. So, if elmo rejects the application the applicant can be happy
with having a signed @debian.org UID, I have no idea whatever it's good
for by this time, but it's BAD anyway. The web of trust is piece of shit
becouse of the 'I-don\'t-care' users of strong encryption systems.

/me is sad to see this

p.s: To-Learn:
 1.) Do not sign unexistant UIDs
 2.) DO USE --check-sigs

Two easy steps for improving the security enourmously.

Lenart, Janos

Reply to: