Proof of possession when exchanging keys

Phil Calvin phil at philcalvin.com
Wed Nov 13 17:49:35 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I seem to recall reading somewhere that when exchanging keys in
person, you should not only have the person verify the key
fingerprint, but you should also present them with 1) an unpredictable
challenge document to sign or 2) verify that they can decrypt an
encrypted message using the key in question. This would ensure they
have access to the secret half of the keypair in question.

Is verifying proof of possession necessary or good practice, or is
checking fingerprints (and, when you don't know the person, photo ID
or similar) enough?

Phil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj
4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA
GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo
mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS
x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel
qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI
WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl
jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P
ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ
diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk
HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops
GzTfJIrwHTmwatg8rS4+
=4ll+
-----END PGP SIGNATURE-----




More information about the Gnupg-users mailing list