| gabriel rosenkoetter on Thu, 18 Apr 2002 13:32:39 -0400 |
|
On Thu, Apr 18, 2002 at 12:39:32PM -0400, Michael Leone wrote: > We were talking about whether the new keysigning member should bring > enough printouts of their own fringerprints to give to everyone else > at a keysigning, or have 1 person print out all the fingerprints > received, and hand them to the others present. It's irrelevant. In either case, you MUST verify that the fingerprint you've heard, seen, and initialed as matching matches the fingerprint on the public key you've got at home. If you don't do this every time, the system breaks down. > I trust Darxus enough so that if he hands me a prinout with 10 new > fingerprints, I trust that he hasn't deliberately magled or forged > any. If he did, the new user will say "Hang on; that's not my > fingerprint". Unless, of course, the 2 are in cahoots. But hey .. you > have to draw that paranoia line somewhere ... Why? It's possible to be absolutely sure with PGP, provided that you can rely on the crypto-system (which, as I said elsewhere, may not be true). It's not paranoia, it's simply black or white truth. Why fudge it when the system makes it so easy to be sure? -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpLUNQl7yVSX.pgp
|
|