Re: PGP signatures.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2008-05-28 at 13:06 -0400, Todd Zullinger wrote:
> Patrick O'Callaghan wrote:
> > On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote:
> >> Ok, I agree with your analysis. It can't be ruled as invalid if had
> >> not been retrieved. But I am ignorant. I do not know how to do the
> >> signing
> > 
> > gpg --sign-key <name>
> 
> Bzzt!  Don't do that.  Not unless you have:
> 
>     1) Verified the details of the key (fingerprint, size, and type,
>     at least)
>     
>     2) Verified the email address used (perhaps via a simple challenge
>     email asking the key holder to sign some data of your choosing and
>     return it to you)
> 
>     3) Done some sort of validation that the name on the key is really
>     the name the key holder is known as
> 
> There is nothing to be gained by just signing a key to make the
> "invalid" warning go away.  And in fact, it can be harmful.  If you
> use --sign-key and then even send that key to someone else or to a
> keyserver, others may take your signature to mean that you've done
> some or all of the verification I mentioned above.  If you haven't,
> you're harming your reputation, as no one wants to trust the
> signature from someone that doesn't do any verification.  (Think of
> signing a key as you would notarizing a document.  You wouldn't stamp
> your seal on something without some checking.)
> 
> If you really must silence the warning (and I would argue that there
> is no point in that), you can use gpg --lsign-key to create a local
> signature.  Such a signature will not ever be exported.

Correct, I should have said --lsign-key.

poc

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux