Protecting IDs at a key signing party

MFPA expires2012 at rocketmail.com
Sat Jan 21 14:58:39 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Thursday 19 January 2012 at 1:38:37 AM, in
<mid:20120119013837.GC23672 at groupw.cns.vt.edu>, Phil Benchoff wrote:


> I think a lot about what signature classes are
> appropriate for what situations and similar pedantry,
> but the current state of practice needs help at a more
> fundamental level.  I just attended my first
> key-signing party.  The participants likely have an
> above-average technical skill set.  Of the 16
> signatures I've received so far, all are at the default
> level.  Five signers delivered my signed keys in
> encrypted form to the individual UIDs. The rest just
> uploaded them to a keyserver.  I can't be critical of
> anyone who did that.  It seems to be the most common
> practice.


I *am* pretty critical of that.

Those 11 people have denied you the opportunity to see exactly what
they are adding to your key before publishing it. (That may generally
be seen as trivial, but it matters to me.)

More importantly, they are signing UIDs that may well contain email
addresses, without actually verifying that you "control" those email
addresses.

- --
Best regards

MFPA                    mailto:expires2012 at rocketmail.com

However beautiful the strategy, you should occasionally look at the results.
-----BEGIN PGP SIGNATURE-----

iQCVAwUBTxrElaipC46tDG5pAQr9XQP/bgSvw1RIUvgf/asdQTe3DJYoXtvXyqmO
VuVPG2ZmJyseJwvw+QNYO+lw+TLbxUoUAaJpTqiP4CtV/k4IMtOKwRRsBLZDGIgD
Vj+cd9bGapfx6vOLzegaMKpDSRdaJ4TCBAlVoQSYeLruxIbnuEb/PZ1ITtC3gKLr
z8G8mzbao2A=
=wbE5
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list