On Wed, 2008-05-28 at 21:45 +0100, Anne Wilson wrote: > On Wednesday 28 May 2008 20:26:19 Patrick O'Callaghan wrote: > > On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote: > > > On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote: > > > > Tim wrote: > > > > > Patrick O'Callaghan: > > > > >>> gpg --sign-key <name> > > > > > > > > > > Bill Crawford: > > > > >> --lsign-key, please, unless you have met the person and seen their > > > > >> passport. > > > > > > > > > > A good idea, but could you tell a forged passport apart from a real > > > > > one? I'm sure that I couldn't. Likewise for other forms of ID, I > > > > > couldn't tell a real one from a good fake, and I'd have no way to > > > > > verify a real ID. > > > > > > > > > > Though I seriously doubt that most of use would be using gpg in a way > > > > > that required such a level of personal identify assurance. > > > > > > > > I started signing my email to the lists when a couple of messages > > > > hit a list with my email address that were not from me. This way, a > > > > forged message stands out because of the lack of signature, or a > > > > because it is signed by a different key. > > > > > > For me, it was when someone accused me of sending a virused email, again > > > on a forged message. > > > > Anne, your signature on a message guarantees that you sent it (actually > > all it does is guarantee that it was sent by someone with access to your > > private key, but anyway), however the absence of your signature doesn't > > guarantee that you didn't send it. Your protestations that you always > > sign your mail have the same weight as saying you don't send viruses, so > > I don't see the gain in this specific example. > > > I tried to explain about looking at headers and comparing the originating IP > with a message known to be from me, but that was too much for the person in > question. As you say, the presence of my key shows that it originated from > one of my computers. That's good enough for the purpose. > > > > It is important, though, to maintain the web-of-trust. It does have > > > legal implications, and that's why local signing is an option. > > > > IANAL etc. etc. but what is your basis for saying it has legal > > implications? Some PKI systems may indeed have them, but GPG is not a > > PKI system. > > > IANAL either, but I understand that there have been contracts accepted in law > on the strength of such a signature. Of course that has no relevance for > me :-) > > What exactly do you mean by 'GPG is not a PKI system'? PKI = Public Key Infrastructure, which implies among other things the use of X.509 certificates and a network of trusted certificate authorities that can verify them. It's a totally different model from GPG's web-of-trust since it relies on a small number of centrally-managed servers which have ultimate authority to certify public keys. GPG (actually PGP) may use servers such as pgp.mit.edu as a convenience for key distribution but that's not the same thing. poc -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
