Keysigning challenge policies/procedures

Todd Zullinger tmz at pobox.com
Sat Jul 8 07:40:14 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi David,

David Shaw wrote:
> I've been away on vacation and only picked up this thread now.

Hope it was relaxing.  Welcome back seems like a negative thing to
say.  ;)

> This statement is not correct.  Back in the PGP 2.x days, this might
> have been true, but with OpenPGP, there is no particular requirement
> that the ability to sign and the ability to decrypt are connected.
> You can have a shared key with separate capabilities.
> 
> Sending an signed key via encrypted mail does not ensure anything
> about the key owner.

Marcus and Ingo have very been helpful in providing pretty specific
procedures that they've used (and documented) for key signing.  I've
read with interest the comments that you've made over the years as the
topic of keysigning has come up and I'd be very appreciative if you
could share a basic outline of the procedure you take or recommend.

As I alluded to at the start of this thread, I've been volunteered to
give a talk on the process and reason behind key signing at an
upcoming meeting of my local LUG.  I've been trying to find as many
different peoples policies and procedures as I can prior to my
presentation to a) refresh my memory and b) prepare for potential
questions on why one might use a particular method.

I highly respect the methods you've outlined on this list and I think
the members of my local LUG could benefit greatly from being exposed
to the policy/procedure for handling keys the come across at a key
signing party.

Thanks much for your efforts on GnuPG.  Like OpenSSH, it's one of the
applications that I use every single day and would have a hard time
living without.

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Life is the art of drawing without an eraser.
    -- John Gardner

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkSvRTwmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1oIFACg1o1VlJkJc3qnus5D24wxs1+c+nMAnif/DXQB
GM8hQmMqt6RFQ6AxQObg
=yZQj
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list