Signing multiple keys
Remco Rijnders
remco at webconquest.com
Thu Aug 25 20:49:32 CEST 2011
On Thu, Aug 25, 2011 at 07:35:09PM +0100, MFPA wrote in
<531058786.20110825193509 at my_localhost>:
>Hi
>
>
>On Thursday 25 August 2011 at 7:02:52 PM, in
><mid:4E568E4C.8080907 at gmail.com>, Aaron Toponce wrote:
>
>
>> If I have a public keyring of all the attendees of the
>> party, then I will want to sign every key in that
>> keyring.
>
>You could have a keyring that purported to be all the public keys from
>the signing party. Unless you checked the fingerprint of each key before
>signing it, how would you spot any extra or substituted keys for which
>you had not verified the ID?
The party I was at last weekend (and the first one I ever attended) [1]
had all the keys with the signatures on a textfile and requested
participants to compute hashes for that document up front and write that
down on the print of that file. At the start of the party the hashes were
read out aloud so we all knew we were working from the same list of keys.
Then everyone present announced their listed fingerprint was correct for
their key.
After that, we checked ID's and verified each others keys.
Remco
[1] http://ksp.froscon.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: </pipermail/attachments/20110825/9e20dd81/attachment-0001.pgp>
More information about the Gnupg-users
mailing list