[please don't top-quote] On Wed, Nov 13, 2002 at 11:13:59AM -0800, Expert User wrote: > On Thu, Nov 14, 2002 at 02:08:02AM +1100, Rob Weir wrote: > > On Wed, Nov 13, 2002 at 11:24:30AM +0000, Karl E. Jorgensen wrote: > > > b) They must trust that you are actually the keeper of the > > > corresponding secret key. This means physically meeting people and > > > collecting signatures on your key from other people (web-of-trust). > > > This is the hard and time-consuming bit... > > > > This bit is really, really important. Do not sign anyone's key unless > > you've physically met them and are sure they are who they claim they > > are. If you don't take it seriously then you'll hurt the web of trust. > > That said, keysigning is an excellent excuse to meet up with local > > geeks:) > > > > -rob > > > The one part I have not quite understood is how do I 'collect' > signatures physically?
Basically you find somebody else who has a key and:
- Prove that you are who you say you are. This requires some official
ID, e.g. a passport.
- Prove that you are the keeper of your private key - e.g. by being able
to decrypt documents encrypted with the corresponding public key.
- Hand-over the key fingerprint
That should be enough for somebody to sign your key. They would do this
by:
- Getting hold of your public key
- Checking that the fingerprint matches
- Signing your public key with their private key
- Sending your (now signed) public key to you (usually in a mail
encrypted by to your key)
- You then import that key and thus import the new signature
- You Upload your public key (with the new signatures) to keyservers
Usually it's a two-way process - A signs B's key and vice versa
(provided that the conditions above are met).
The above is just a very short (and probably inaccurate) summary. Read
the real thing to get the (much more authorative) full story:
http://www.cryptnet.net/fdp/crypto/gpg-party.html
HTH
--
Karl E. J�rgensen
[EMAIL PROTECTED] http://karl.jorgensen.com
==== Today's fortune:
The truth of a proposition has nothing to do with its credibility. And
vice versa.
msg12791/pgp00000.pgp
Description: PGP signature
