What can I expect at a Key Signing party?
Andrew McDonald
andrew@mcdonald.org.uk
Sun Oct 14 22:34:01 2001
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Oct 14, 2001 at 10:21:08AM -0700, Nick Andriash wrote:
> On Sunday, October 14 2001 at 06:28 AM PDT, you wrote:
>=20
> > When I get home I download their key and check the fingerprint against
> > the slip of paper. I then usually e-mail them a challenge (something
> > like the output of "dd if=3D/dev/urandom bs=3D1 count=3D32 | od -x -Ax")
> > which they return signed by their public key.
>=20
> What is the purpose of the "challenge"? What is it? What would having
> them return that to you tell you about them that you don't already know?=
=20
The challenge is a cryptographically secure random number.
The checking of passport verifies that 'real person' claims to own
'key' (and 'e-mail address'). The signing of a random challenge
verifies that 'e-mail address' has access to the private part of 'key'.
It attempts to verify that 'real person' can't claim to own 'e-mail
address' and 'key' unless he really does.
--=20
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/
--pf9I7BMVVzbSWLtt
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7yeaE/LupyPLe7TYRAr2NAJwKvxFwF5HVsorc40LJAtpk1mYwuwCfdQ9K
b3xSCi/GqTgjJj7hjl55xDQ=
=kSOj
-----END PGP SIGNATURE-----
--pf9I7BMVVzbSWLtt--