Re: GnuPG & mutt on Woody 3.0r2.
On Mon, 22 Dec 2003 20:02, Marcel Weber <firstname.lastname@example.org> wrote:
> Russell Coker wrote:
> > Signing a key you don't know is not a good idea, it's easy to
> > accidentally upload a key...
> > There is a gpg option "lsign" which can be used for this, it's like a
> > regular signature but it can never be exported.
> Right: But if he is sure he trusts this key he should sign it and upload
> it to the key server.
If he is sure because he verified the key fingerprint while meeting the owner
in person, and the owner provided photo-id (or is someone he has known for
many years) then he can do that. Alternatively signing a key based on a
phone call with someone you know well enough to recognise their voice may be
Being sure because "the key servers generally have the right data" is of
course not a reason to upload.
I assume that if he had met the person and verified the fingerprint then he
would have signed the key and we wouldn't be having this discussion. If he
hasn't met them then it should not be signed.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page