What policy for signing keys do you use?

Thomas Widhalm widhalmt at unix.sbg.ac.at
Wed Dec 28 22:50:51 CET 2005


Many people have their keys or key IDs and fingerprints on their websites 
which should be very hard to fake for an attacker. Website, key, key ID, all 
at a time just before it gets discovered.

But is this enough for you sign the key? Not locally but epxortable. 

I know of the policies of some CAs, who need a meeting in the real life, a 
passport and a signature.

So how do you deal with signatures? Is it irresponsible signing keys just with 
because of them being on a website with a fingerprint? Is it sufficient if 
you give "haven't checked anything" or "checked marginally" while signing. Or 
is this just for the local trustdb?

What about keys without real names but just nicknames?

* Thomas Widhalm                             Unix Administrator *
* University of Salzburg                     IT- Services (ITS) *
* Systems Management                               Unix Systems *
* Hellbrunnerstr. 34                     5020 Salzburg, Austria *
* widhalmt at unix.sbg.ac.at                     +43/662/8044-6774 *
* gpg: 6265BAE6                                                 *
* http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051228/6a4a59fd/attachment.pgp

More information about the Gnupg-users mailing list