| Eric J. Roode on 9 Feb 2005 14:09:58 -0000 |
|
Greg Sabino Mullane wrote: I do it by hand, via command-line gpg. I don't think there is any way to automate it outside of an expect script. But my basic process is:
But then... Do you leave the signatures on your local (personal) keyring? Or leave them unsigned locally? Seems to me there are the following possibilities, after you mail out the individually-signed keys to the various email addresses: 1. Leave all the uids signed on your personal keyring. But: if you accidentally distribute that key, you've vouched for possibly-forged addresses. 2. Leave all the uids *locally* signed on your personal keyring. But: you can't distribute the key (to your friends, to a keyserver). This is possibly not a bad thing. 3. Leave all the uids signed locally until you happen to receive an email from the person, at which point you sign-for-export the uid from that email. But: you have to remember to do that. And you have to remember to check that the From: wasn't forged. I'm just musing here.... I'd like to see a Better Way of verifying email addresses than the challenge-response (which is effective, but clumsy imho). Anyone else have any insights? Eric $_ = reverse sort $ / . r , qw p ekca lre uJ reh ts p , map $ _ . $ " , qw e p h tona e and print Attachment:
signature.asc ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|