What policy for signing keys do you use?
Thomas Widhalm
widhalmt at unix.sbg.ac.at
Wed Dec 28 22:50:51 CET 2005
Hi!
Many people have their keys or key IDs and fingerprints on their websites
which should be very hard to fake for an attacker. Website, key, key ID, all
at a time just before it gets discovered.
But is this enough for you sign the key? Not locally but epxortable.
I know of the policies of some CAs, who need a meeting in the real life, a
passport and a signature.
So how do you deal with signatures? Is it irresponsible signing keys just with
because of them being on a website with a fingerprint? Is it sufficient if
you give "haven't checked anything" or "checked marginally" while signing. Or
is this just for the local trustdb?
What about keys without real names but just nicknames?
Regards,
Thomas
--
*****************************************************************
* Thomas Widhalm Unix Administrator *
* University of Salzburg IT- Services (ITS) *
* Systems Management Unix Systems *
* Hellbrunnerstr. 34 5020 Salzburg, Austria *
* widhalmt at unix.sbg.ac.at +43/662/8044-6774 *
* gpg: 6265BAE6 *
* http://www.sbg.ac.at/zid/organisation/mitarbeiter/widhalm.htm *
*****************************************************************
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20051228/6a4a59fd/attachment.pgp
More information about the Gnupg-users
mailing list