Protecting IDs at a key signing party
Robert J. Hansen
rjh at sixdemonbag.org
Tue Jan 24 01:25:53 CET 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 1/23/12 5:52 PM, MFPA wrote:
>> If they want to mess with you, they don't need your permission.
>> As is, you've explicitly asked them, "would you please sign
>> certificate 0xDEADBEEF, fingerprint so-and-so, here's my
>> credentials."
>
> True.
>
>> Then they're signing it with *their* certificate, backed up by
>> credentials that you yourself checked.
>
> Except that you have no way of knowing if the certificate they use
> to sign the key will contain UIDs related to the credentials you
> were shown, or something completely different.
If you need to know the certificate they use to sign your certificate
contains UIDs related to the credentials you were shown, then you need
to stop using OpenPGP. You literally cannot get this level of
assurance. Anyone can sign your certificate and share it with someone
else, and there's no way to change that.
-----BEGIN PGP SIGNATURE-----
iFYEAREIAAYFAk8d+pEACgkQI4Br5da5jhALlQDfQMFghC+RO51auWibZaJa4vDd
fuMyGblKWjtuXQDgovK6RMgmD5C4TI2DtVV6ocFECwkCNtpNnw0Zgw==
=LO82
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list