signing keys

Ingo Klöcker ingo.kloecker@epost.de
Wed Jan 30 01:20:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus, I guess your message should have gone to the GnuPG mailing list.

On Tuesday 29 January 2002 12:39, markus_kampkoetter wrote:
> Ingo Klöcker schrieb:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Monday 28 January 2002 19:08, Davide Cavallari wrote:
> > > You know, I'm just new to openPGP. If  I want a friend of mine to
> > > securely sign my  public key I  think she should  call me over 
> > > the phone as  it is explained in the original Zimmermann's
> > > manual. She cannot completely trust the information gained  from
> > > my 'X-PGP' headers, since in  this case there is no 'history' at
> > > all.
> >
> > Even better would be if you personally gave her a printout of your
> > key's fingerprint. Only if she knows your voice very well and if a
> > personal exchange of fingerprints is not possible you should use
> > the phone-call-method.
> >
> > Regards,
> > Ingo
>
> hi to all! (and sorry i do not use gpg at the moment)
> in the above case you should not use any wireless phone.

Why? No confidential information it exchanged over the phone. The only 
piece of information which is exchanged is the key's fingerprint (which 
is not secret but public because it's the fingerprint of the public 
key).

> to be true, this discussion seemes to be very theoretically (but
> still interesting). i am new to the theme but have there been
> `exploits´ in a way that somebody created `evil´ keys?

Yes. There were already some keys created by unknowns with the identity 
of other people. IIRC there is a fake key with Phil Zimmermann's name 
on it.

> if a strong/powerfull/rich
> person/state/organization would really like to know what _you_ are
> doing on your computer they easily can scan your monitor.

...and put a key logger in your keyboard. BTW, AFAIK it's not possible 
to 'scan' a LCD display because they emit far too low radiation (if at 
all).

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8VzVKGnR+RTDgudgRAt2fAJwLPS/NUURVblGpNg3nnEhVuWi+hACfYwpp
taMizyTkuSKEqP1oab6LbYo=
=fSYR
-----END PGP SIGNATURE-----