Signing a key (meaning)

MFPA expires2011 at ymail.com
Sat Apr 9 14:26:38 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 8 April 2011 at 11:58:09 PM, in
<mid:20110408225809.156930 at gmx.net>, Jan Janka wrote:


>>But the e-mail access control check *does* protect
>>against the attack scenario where at the time of
>>keysigning, Eve does *not* have access to Bob's inbox.

> Yes, but the fingerprint check already protects against
> that, so why do we need another check?

Please describe how checking key fingerprints is in any way related to
email addresses.

My understanding is that there is a three-point check:-

1. checking the fingerprint to ensure you have the correct key.
2. checking identity documents to ensure it is the correct person.
3. sending an encrypted message to ensure somebody controlling that
   key can receive emails at that address.


> 1. John tells me john at hot.com.
> 2. I believe him he has access to john at hot.com (see former email).
> 3. I find keys on the server by looking for john at hot.com.
> 4. I choose "John Smith <john at hot.com>", because I know his name.
> 5. I make a fingerprint check on the phone (I know his voice).
> 6. I sign the key.
> 7. I upload the signed key to the keyserver.

Number 7 is a very rude thing to do. Much better to email the signed
key to John Smith and let him decide whether or not to publish it with
your signature on it.

Better still to encrypt that message to the key you have just signed,
so that only a person in control of that key has access to the copy
bearing your signature. Then delete the exportable signature from your
own copy of that key and replace it with a local signature, so that
you don't accidentally send it to a server bearing your signature,
potentially against John Smith's wishes.

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

ETHERNET(n): device used to catch the Ether bunny
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNoFCXnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pHKcD/1YF
V03ZULqlhHjfsLjOTQ6IaU0ONCXaQZYMWDAcpatNLLj3WU5YPE6wgQwaEDgwhT6h
f+RnLgeNOE70v1uFy+hJ/iXvIOI4PD9Y7u9QajBWUbRPSPJ0krrUbgR8Yk5mOf45
9DmGJ0Oe2sUc5K0g4NyvDkV4hjbHaL+9ff/5wPWE
=kALw
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list