[svlug] keysigning party

[Marc MERLIN]

On Mon, Nov 11, 2002 at 06:07:29PM +0000, Drew Streib wrote:
> On Mon, Nov 11, 2002 at 01:31:17AM -0800, Marc MERLIN wrote:
> > Now, if you  trust me to have done  a good job of verifying  IDs and not
> > trying to  make you sign  a key  from a fake  user, you could  then sign
> > those keys too.
> 
> In the traditional model, this is wrong.
 
I know, that's why I offered the second part :-)
 
> If they trust you to sign keys, then in their _local_ trustdb, they should
> extend trust to keys you've signed. Their actual signatures should mean
> they they themselves verified the key.

In theory, yes.

> There's nothing wrong with using local trust databases and locally assigned 
> trust. Marc, you're on my ring as a trusted signator, so that works great, 

You're in mine too :)

> but that's because _I_ trust you, not because I've allowed someone else
> to trust you without my knowledge.

Right.
That  said, there  are  some people  for  whom  if they  tell  me they  have
personaly  verified the  identity and  fingerprint of  foo, I'll  would sign
their key (mind you, that wouldn't be just anyone)

That's why I wrote the second part about using a proxy to put all the keys
together with an MD5 checksum, and having everyone verify their own key and
the MD5 checksum.
That would at  least save on the  very lenghty and overly  boring reading of
each and everyone's fingerprint.

Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/   |   Finger marc_f at merlins.org for PGP key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20021111/ac40f405/attachment.bin