On 1/21/2012 8:58 AM, MFPA wrote: > Those 11 people have denied you the opportunity to see exactly what > they are adding to your key before publishing it. (That may generally > be seen as trivial, but it matters to me.)
It's less than trivial: it's a complete nonissue. If they want to mess with you, they don't need your permission. As is, you've explicitly asked them, "would you please sign certificate 0xDEADBEEF, fingerprint so-and-so, here's my credentials." Then they're signing it with *their* certificate, backed up by credentials that you yourself checked. How is this a problem? You've been making hay out of this for years and I've yet to see any realistic example of this being a problem. Please present one. > More importantly, they are signing UIDs that may well contain email > addresses, without actually verifying that you "control" those email > addresses. Likewise, regarding making hay and a complete lack of realistic examples.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
