Protecting IDs at a key signing party

Peter Lebbing peter at digitalbrains.com
Sun Jan 22 10:32:41 CET 2012


On 21/01/12 23:01, Robert J. Hansen wrote:
> Then they're signing it with *their* certificate, backed up by
> credentials that you yourself checked.  How is this a problem?

While I generally agree with you on the rest of your mail, this is not
necessarily the case. You met them at a keysigning party. They probably
presented you something they thought would prove their identity. If you read
"checked" as "you looked at it", then yes, probably that is also true :).
But I interpret "checked" here as "verified it was okay", and that is not
necessarily the case.

By the way, I think it's courtesy to send the signature to the key owner.
But it is not a security issue.

I have so far attended a keysigning party once. I noticed a few people had
not published my signature (don't know why)[1]. This also weakened my own
Web of Trust, which was not a big issue, but I still decided to do local
signatures on those keys that did not have my exportable signature. Fine.
But I also have a laptop, so I needed to export my local signatures,
etcetera. A lot of overhead, what with checking fingerprints again for the
local signature, all for a bit of courtesy...

Peter.

[1] I have a slight tremor in the hands, and I noticed sometimes my passport
shaked a bit while I was holding it up so the person in front of me could
check it. Perhaps they thought I was bloody nervous because I was trying to
trick them??

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt



More information about the Gnupg-users mailing list