| gabriel rosenkoetter on Wed, 17 Apr 2002 19:47:22 -0400 |
|
On Wed, Apr 17, 2002 at 06:39:31PM -0400, Michael Leone wrote: > All participants have to have copies of everyone involved's fingerprint; > it's just easier to funnel them to a central person, who then makes > enough printouts for all participants to look at. Um, but if I blindly trust that the printout that Darxus gives me matches what I'd get out of gpg --fingerprint for that key ID and sign the key, I've misplaced my trust. Even if you do use Darxus's handy printout, you MUST verify that the fingerprint on that sheet of paper (that you verified against what the person whose key it is read aloud *from* *their* *own* *files*... that is NOT from Darxus's printout) matches with the output of gpg --fingerprint for that key ID on your machine BEFORE you do gpg --sign-key. > If you have 10 participants, and everyone brings enough copies > of thier fingerprint for everyone else, everybody ends up with 10 > pages per person. As opposed to 1 or 2, if done centrally. But bringing copies of your fingerprint for everyone and reading your fingerprint aloud are redundant! It's still necessary to match the fingerprints against what you have locally when you get home. > Also, not everyone comes with printouts of their fingerprint; I leave > mine in my Palm. Saves on paper, etc. I think I have the first two blocks of mine memorized at this point. ;^> In any case, I think you missed my point. I was saying that I could just as easily print the fingerprints for everyone in place of Darxus, if he's not going to be there (um, Darxus, could you maybe say something about this? Soon?), and that they would be no more or less trustworthy than Darxus's printouts. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpKI2oybOws8.pgp
|
|