A question about verifying keys

James Davis jamesd at jml.net
Fri Dec 19 11:26:11 CET 2008

A colleague of mine asked me to send him a signed e-mail of fingerprints
of some keys that I'd personally verified earlier in the day. I'd also
signed the keys, and published the signatures to a public key server.

I argued that my signature on the publicly available keys was as good as
the signed e-mail of the fingerprints. He seemed to think that the
public key server introduced the possibility of meddling with the keys
(although I pointed out that if this was the case, my signatures
wouldn't verify).

Is a signed e-mail containing a fingerprint equivalent to signing a key?


More information about the Gnupg-users mailing list