[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuPG & mutt on Woody 3.0r2.

On Mon, 22 Dec 2003 20:02, Marcel Weber <mmweber@ncpro.com> wrote:
> Russell Coker wrote:
> > Signing a key you don't know is not a good idea, it's easy to
> > accidentally upload a key...
> >
> > There is a gpg option "lsign" which can be used for this, it's like a
> > regular signature but it can never be exported.
>
> Right: But if he is sure he trusts this key he should sign it and upload
> it to the key server.

If he is sure because he verified the key fingerprint while meeting the owner 
in person, and the owner provided photo-id (or is someone he has known for 
many years) then he can do that.  Alternatively signing a key based on a 
phone call with someone you know well enough to recognise their voice may be 
OK.

Being sure because "the key servers generally have the right data" is of 
course not a reason to upload.

I assume that if he had met the person and verified the fingerprint then he 
would have signed the key and we wouldn't be having this discussion.  If he 
hasn't met them then it should not be signed.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: