Protecting IDs at a key signing party

Robert J. Hansen rjh at
Sat Jan 21 23:01:51 CET 2012

On 1/21/2012 8:58 AM, MFPA wrote:
> Those 11 people have denied you the opportunity to see exactly what
> they are adding to your key before publishing it. (That may generally
> be seen as trivial, but it matters to me.)

It's less than trivial: it's a complete nonissue.

If they want to mess with you, they don't need your permission.  As is,
you've explicitly asked them, "would you please sign certificate
0xDEADBEEF, fingerprint so-and-so, here's my credentials."  Then they're
signing it with *their* certificate, backed up by credentials that you
yourself checked.  How is this a problem?

You've been making hay out of this for years and I've yet to see any
realistic example of this being a problem.  Please present one.

> More importantly, they are signing UIDs that may well contain email
> addresses, without actually verifying that you "control" those email
> addresses.

Likewise, regarding making hay and a complete lack of realistic examples.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120121/7beae25c/attachment.pgp>

More information about the Gnupg-users mailing list