|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] gpg signing party follow-on
|
On Wed, Dec 25, 2002 at 12:01:42PM -0500, Jeff Abrahamson wrote:
> So I've signed some people's keys after David Shaw's visit. Maybe some
> people have signed mine. But this leaves me with a few questions:
>
> - How do I let the rest of the world know? The instructions on the web
> site didn't indicate. Is this with --send-keys?
Some people send it to a keyserver and let the person know, but I
usually send it directly to the person as keyserver synchronization is
not perfect and they may not get it on their favorite keyserver. Some
people do both.
> - If I send someone a key challenge question and they respond, having
> signed the correct challenge with the correct key but not from the
> correct email address, my inclination is not to sign their key, or
> to sign it with only moderate trust. Am I incorrect? This is the
> purpose of the verification, after all, to establish a binding
> between the key and the email address.
It's safe to sign the key. It doesn't matter what the "from" address
was on the mail that responded to you. You sent the challenge to a
given email address, and it was signed by the key in question. That's
an infinitely stronger binding than the SMTP envelope FROM, which is
not secure at all.
David
--
David Shaw | dshaw@jabberwocky.com | WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
"There are two major products that come out of Berkeley: LSD and UNIX.
We don't believe this to be a coincidence." - Jeremy S. Anderson
_________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion -- http://lists.netisland.net/mailman/listinfo/plug
|
|