Samuel Tardieu <[EMAIL PROTECTED]> writes:
> On 28/06, John H. Robinson, IV wrote:
>
> | http://people.debian.org/~jaqque/keysign.html
> |
> | it does have some weaknesses, but it is a lot stronger than the ``oh,
> | i've met you, i have checked your ID, and off we go''
What additional security does this protocol offer over simple ID
checking? IOW, what problem does it solve?
> It has an enormous flaw: you do not sign a key, you sign an id.
Indeed. And I usually consider the e-mail not part of the signed data
(although, technically it is). It would be good to have make that
explicit by having one uid on the key without e-mail. I'd sign just
that, and - frankly - I'm not that interested in whether the e-mail is
signed by anybody besides the owner of the key.
--
Robbe
signature.ng
