[please don't top-quote] On Wed, Nov 13, 2002 at 11:13:59AM -0800, Expert User wrote: > On Thu, Nov 14, 2002 at 02:08:02AM +1100, Rob Weir wrote: > > On Wed, Nov 13, 2002 at 11:24:30AM +0000, Karl E. Jorgensen wrote: > > > b) They must trust that you are actually the keeper of the > > > corresponding secret key. This means physically meeting people and > > > collecting signatures on your key from other people (web-of-trust). > > > This is the hard and time-consuming bit... > > > > This bit is really, really important. Do not sign anyone's key unless > > you've physically met them and are sure they are who they claim they > > are. If you don't take it seriously then you'll hurt the web of trust. > > That said, keysigning is an excellent excuse to meet up with local > > geeks:) > > > > -rob > > > The one part I have not quite understood is how do I 'collect' > signatures physically? Basically you find somebody else who has a key and: - Prove that you are who you say you are. This requires some official ID, e.g. a passport. - Prove that you are the keeper of your private key - e.g. by being able to decrypt documents encrypted with the corresponding public key. - Hand-over the key fingerprint That should be enough for somebody to sign your key. They would do this by: - Getting hold of your public key - Checking that the fingerprint matches - Signing your public key with their private key - Sending your (now signed) public key to you (usually in a mail encrypted by to your key) - You then import that key and thus import the new signature - You Upload your public key (with the new signatures) to keyservers Usually it's a two-way process - A signs B's key and vice versa (provided that the conditions above are met). The above is just a very short (and probably inaccurate) summary. Read the real thing to get the (much more authorative) full story: http://www.cryptnet.net/fdp/crypto/gpg-party.html HTH -- Karl E. Jørgensen karl@jorgensen.com http://karl.jorgensen.com ==== Today's fortune: The truth of a proposition has nothing to do with its credibility. And vice versa.
Attachment:
pgpB163EP4gFu.pgp
Description: PGP signature