Package: www.debian.org Version: unavailable; reported 2003-08-04 Severity: wishlist
On the keysigning page in the "What you should not do" section it would be useful to mention that the signed key should be sent to the key's owner and not immediately uploaded to a public keyserver. This is implied by the procedure described earlier, but not with crystal clarity, and indeed I have been to keysignings where uploading signatures to keyservers was considered routine. The reason for this restriction is that one usually signs a key after a person presents ID that links his face with his name and a fingerprint-printout that links his name with his key. Assume that the ID is trustworthy and the face matches the picture on the ID so that the face-name link is proven. One is prepared to sign the key to say that this person claims this key. However, the key also lists an email address and unless something further is done there is nothing to prove that this person owns this email address (except perhaps for the fact that the person is present, if the occasion is a keysigning that was arranged by private email). It adds to the security of the process if the signature is emailed to that address. It will then only be uploaded if and only if the person in question really owns that address. If the address actually belongs to someone else then she will not upload the key but will probably make inquiries into who is claiming to own her email address. If my thinking is muddled here, please let me know. -- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux thanatos 2.4.21 #3 Wed Jun 18 21:35:52 CEST 2003 i686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED]
