AW: Trusted Signatures on your Public key?

Huels, Ralf SCORE Ralf.Huels@schufa.de
Thu Jul 19 13:21:05 2001



> That's what I was curious about, just how do you do this, take your
> key on a floppy, and then get people to sign it.. then come home and
> import it?
Taking the key on a floppy is one way, but a rather complicated one,=20 especially since people will rerely carry their secret key around to sign keys away from their home systems (Storing a secret key on a=20 mobile computer is a security risk and copying a secret key to=20 somebody else's machine utterly destroys any security). The solution lies in the key fingerprint. The output of 'gpg --fingerprint <yourkeyid>' uniquely identifies your key.=20 Usually people just exchange hardcopies of their fingerprints and check each other's ID.=20 You can then get the key from the key servers or exchange the keys by mail. Check the fingerprint of the keys thus received against the printouts you received at the key signing event.=20 This gives you proof that you have the correct key which you can now sign in the privacy of your secure home environment. Afterwards you upload the signed key to the key server or mail it back to it's owner.=20 I carry a couple of fingerprint hardcopies in my wallet at all times, so if I run into a PGP/GPG user by chance, I have everything he/she=20 needs to sign my key. Tsch=FC=DF, Ralf