Protecting IDs at a key signing party
Robert J. Hansen
rjh at sixdemonbag.org
Sat Jan 21 23:01:51 CET 2012
On 1/21/2012 8:58 AM, MFPA wrote:
> Those 11 people have denied you the opportunity to see exactly what
> they are adding to your key before publishing it. (That may generally
> be seen as trivial, but it matters to me.)
It's less than trivial: it's a complete nonissue.
If they want to mess with you, they don't need your permission. As is,
you've explicitly asked them, "would you please sign certificate
0xDEADBEEF, fingerprint so-and-so, here's my credentials." Then they're
signing it with *their* certificate, backed up by credentials that you
yourself checked. How is this a problem?
You've been making hay out of this for years and I've yet to see any
realistic example of this being a problem. Please present one.
> More importantly, they are signing UIDs that may well contain email
> addresses, without actually verifying that you "control" those email
> addresses.
Likewise, regarding making hay and a complete lack of realistic examples.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120121/7beae25c/attachment.pgp>
More information about the Gnupg-users
mailing list