Protecting IDs at a key signing party
expires2012 at rocketmail.com
Mon Jan 23 23:52:27 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
On Saturday 21 January 2012 at 10:01:51 PM, in
<mid:4F1B35CF.1000008 at sixdemonbag.org>, Robert J. Hansen wrote:
> If they want to mess with you, they don't need your
> permission. As is, you've explicitly asked them,
> "would you please sign certificate 0xDEADBEEF,
> fingerprint so-and-so, here's my credentials."
> they're signing it with *their* certificate, backed up
> by credentials that you yourself checked.
Except that you have no way of knowing if the certificate they use to
sign the key will contain UIDs related to the credentials you were
shown, or something completely different.
> How is this a problem?
> You've been making hay out of this for years and I've
> yet to see any realistic example of this being a
> problem. Please present one.
People being rude, insensitive, and potentially insulting, *is* a
problem. Not related to security but still a problem. If it were
possible to enforce the "keyserver-no-modify" flag, this problem might
>> More importantly, they are signing UIDs that may well
>> contain email addresses, without actually verifying
>> that you "control" those email addresses.
> Likewise, regarding making hay and a complete lack of
> realistic examples.
Are you suggesting it is sensible to check a person's name against
government-issued documents but to attempt any verification of email
MFPA mailto:expires2012 at rocketmail.com
A candle loses nothing by lighting another candle
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users