signing a robot's key - was: Re: Global Directory signatures

Mark H. Wood mwood at IUPUI.Edu
Sat Jan 1 17:40:29 CET 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 1 Jan 2005, Neil Williams wrote:
> But you cannot do that, you cannot prove to me that it is that key. There is
> no way that I can verify the key because I cannot verify the UID. As David
> said, it is trivial to create yet another PGP Global Directory Verification
> Key - how can you prove which one is 'real'? As it would be my own key,
> created under false pretences, I could introduce it to PGP GD and sign
> whatever I wanted with it.

So, looking up PGP Corporation in the phone book, calling their corporate
headquarters, and verifying the fingerprint with a person wouldn't help?

- -- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFB1tKDs/NR4JuTKG8RAoqOAJ4puwcVldS5k2CMETCEht10TWeQagCfbEfK
IteOwkjbRZKqeFNoV72J5lQ=
=phYY
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list