On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote: > Tim wrote: > > Patrick O'Callaghan: > >>> gpg --sign-key <name> > > > > Bill Crawford: > >> --lsign-key, please, unless you have met the person and seen their > >> passport. > > > > A good idea, but could you tell a forged passport apart from a real one? > > I'm sure that I couldn't. Likewise for other forms of ID, I couldn't > > tell a real one from a good fake, and I'd have no way to verify a real > > ID. > > > > Though I seriously doubt that most of use would be using gpg in a way > > that required such a level of personal identify assurance. > > I started signing my email to the lists when a couple of messages > hit a list with my email address that were not from me. This way, a > forged message stands out because of the lack of signature, or a > because it is signed by a different key. > For me, it was when someone accused me of sending a virused email, again on a forged message. It is important, though, to maintain the web-of-trust. It does have legal implications, and that's why local signing is an option. I use encryption for correspondence with one person, and for that I have to use ultimate trust, yet I've never met him. The name I know him by may not be his. It would be utterly wrong for me to upload his signature, signed, as that says to people "You can trust this guy utterly. I vouch for him." And you can't do that for someone you haven't even met. Anne
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
