Re: GPG and Signing
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Pobega wrote:
> On Sun, Apr 01, 2007 at 10:54:27AM -0500, Ron Johnson wrote:
>> On 04/01/07 10:29, Brad Rogers wrote:
>>> On Sun, 01 Apr 2007 10:05:07 -0500
>>> John Hasler <jhasler@debian.org> wrote:
>>>
>>> Hello John,
>>>
>>>> "ID" is a slippery concept. What does it mean to "know who someone
>>>> is"?
>>> Indeed. However, with some sort of photo ID, such as passport of
>>> driving license, and knowledge of the relevant key fingerprint, it's
>>> possible to be fairly sure you're dealing with the person that created
>>> the public key. So long as the details all match, whether that's their
>>> "real" ID is moot.
>> A couple of years ago there was a very long thread on what it means
>> to "trust". The bottom line was that you can't perfectly know, and
>> that all you can do is "your best" at verifying his identity, and
>> then have faith.
>>
>
> I have a question, and I think it's best to fork the thread from here:
>
> Is it a bad practice to verify keyrings of people on the mailing list,
> or is it better to wait until I meet up with some of them at say
> Debconf or something similar?
My practice is to imported them into my keyring, but not to mark them as
"trusted" until I meet them, which means that most of the people will
never make it into my trusted keyrings, but remain untrusted.
This method still gives some assurances that the person who sent the
message is the same one who sent previous messages. It does not mean
that I trust them.
BTW, this is the default behavior for enigmail.
Joe
- --
Registerd Linux user #443289 at http://counter.li.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGEKyqiXBCVWpc5J4RAkBfAJ0UwtrNBB5wmqRCJw8KWsGSe+oquwCdFdYC
ca5m5tQdgcjmAgas0vwRPEA=
=MS31
-----END PGP SIGNATURE-----
Reply to: