Third party information (was: Semi-automated trust, policy)
Tue Dec 10 15:32:02 2002
-----BEGIN PGP SIGNED MESSAGE-----
> sign his key I found that while the key ID, date and some
> UIDs were there, the Fingerprint was missing.
> and I still didn't sign it because he didn't list the
> fingerprint in his claim of ownership.
> Am I being overly paranoid? (Apart from the fact that this
> might serve as a lesson to take more care when preparing
> for a key signing ;-)
No, you were not being overly paranoid. If someone made such
a major mistake of leaving their fingerprint off at a keysigning,
they do not deserve to be in the Wot. At the very least, I would
not have helped them get deeper into it by signing their key.
If anything, I think most people in general are not paranoid
enough. I think the bare minimum should be checking the fingerprint,
two picture IDs, and veryfying the email afterwards. In an ideal
world, I'd have other people vouch for their identity as well;
this is one reason why keysignings held at existing user group
meetings (e.g. LUGs) work so well.
Greg Sabino Mullane firstname.lastname@example.org
PGP Key: 0x14964AC8 200212100929
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----