key-signing for pseudonyms

Chris Fox dissectingtable at
Sun May 16 10:08:35 CEST 2004

Atom 'Smasher' wrote:

> here's a thought....
> let's say i meet someone and their key-name is a pseudonym. we want to
> sign each others' keys, but i have no idea who this person is.
> we can generate a random string (while face-to-face) and each write that
> down on paper (taking precautions that this shared secret remains secret).
> later, i generate (by myself) a second random string and email it to them,
> encrypted and signed. when they mail me back both strings, encrypted and
> signed, i sign their key and send it back encrypted (and delete my local
> copy of their key signature). when the signature appears publicly, can
> there be much doubt that i'm dealing with the same person i met?
> if both of us are using pseudonyms, we agree on two random strings when we
> meet... one string is their secret that they confirm with me, the other is
> my secret that i confirm with them.
> how secure (trusted?) is such a protocol?
> what level of trust (signature) would this earn?
> in such a situation, what disclaimers might someone use in a policy-url?
If you don't have a copy, you should get one, and the discussion you'd 
find most useful is in chapter 22.

More information about the Gnupg-users mailing list