[svlug] keysigning party
marc_news at merlins.org
Mon Nov 11 11:22:47 PST 2002
On Mon, Nov 11, 2002 at 06:07:29PM +0000, Drew Streib wrote:
> On Mon, Nov 11, 2002 at 01:31:17AM -0800, Marc MERLIN wrote:
> > Now, if you trust me to have done a good job of verifying IDs and not
> > trying to make you sign a key from a fake user, you could then sign
> > those keys too.
> In the traditional model, this is wrong.
I know, that's why I offered the second part :-)
> If they trust you to sign keys, then in their _local_ trustdb, they should
> extend trust to keys you've signed. Their actual signatures should mean
> they they themselves verified the key.
In theory, yes.
> There's nothing wrong with using local trust databases and locally assigned
> trust. Marc, you're on my ring as a trusted signator, so that works great,
You're in mine too :)
> but that's because _I_ trust you, not because I've allowed someone else
> to trust you without my knowledge.
That said, there are some people for whom if they tell me they have
personaly verified the identity and fingerprint of foo, I'll would sign
their key (mind you, that wouldn't be just anyone)
That's why I wrote the second part about using a proxy to put all the keys
together with an MD5 checksum, and having everyone verify their own key and
the MD5 checksum.
That would at least save on the very lenghty and overly boring reading of
each and everyone's fingerprint.
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger marc_f at merlins.org for PGP key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20021111/ac40f405/attachment.bin
More information about the svlug