AW: Trusted Signatures on your Public key?
Huels, Ralf SCORE
Ralf.Huels@schufa.de
Thu Jul 19 13:21:05 2001
> That's what I was curious about, just how do you do this, take your
> key on a floppy, and then get people to sign it.. then come home and
> import it?
Taking the key on a floppy is one way, but a rather complicated one,=20
especially since people will rerely carry their secret key around to
sign keys away from their home systems (Storing a secret key on a=20
mobile computer is a security risk and copying a secret key to=20
somebody else's machine utterly destroys any security).
The solution lies in the key fingerprint.
The output of 'gpg --fingerprint <yourkeyid>' uniquely identifies your
key.=20
Usually people just exchange hardcopies of their fingerprints and check
each other's ID.=20
You can then get the key from the key servers or exchange the keys by
mail.
Check the fingerprint of the keys thus received against the printouts
you received at the key signing event.=20
This gives you proof that you have the correct key which you can now
sign in the privacy of your secure home environment.
Afterwards you upload the signed key to the key server or mail it
back to it's owner.=20
I carry a couple of fingerprint hardcopies in my wallet at all times,
so if I run into a PGP/GPG user by chance, I have everything he/she=20
needs to sign my key.
Tsch=FC=DF,
Ralf