What can I expect at a Key Signing party?

Andrew McDonald andrew@mcdonald.org.uk
Sun Oct 14 22:34:01 2001


--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Oct 14, 2001 at 10:21:08AM -0700, Nick Andriash wrote:

> On Sunday, October 14 2001 at 06:28 AM PDT, you wrote:
>=20
> > When I get home I download their key and check the fingerprint against
> > the slip of paper. I then usually e-mail them a challenge (something
> > like the output of "dd if=3D/dev/urandom bs=3D1 count=3D32 | od -x -Ax")
> > which they return signed by their public key.
>=20
> What is the purpose of the "challenge"? What is it? What would having
> them return that to you tell you about them that you don't already know?=
=20 The challenge is a cryptographically secure random number. The checking of passport verifies that 'real person' claims to own 'key' (and 'e-mail address'). The signing of a random challenge verifies that 'e-mail address' has access to the private part of 'key'. It attempts to verify that 'real person' can't claim to own 'e-mail address' and 'key' unless he really does. --=20 Andrew McDonald E-mail: andrew@mcdonald.org.uk http://www.mcdonald.org.uk/andrew/ --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7yeaE/LupyPLe7TYRAr2NAJwKvxFwF5HVsorc40LJAtpk1mYwuwCfdQ9K b3xSCi/GqTgjJj7hjl55xDQ= =kSOj -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt--