Others have answered the other points, so I'll just answer this: On Mon, Apr 01, 2002 at 11:00:39AM -0700, [EMAIL PROTECTED] wrote: > so you are saying it is a totally subjective judgement call?
Yes. It's a question of trust, which is very difficult to compute algorithmically... The question is: (for local signing) Are you convinced that the keyholder is actually the person they say they are? (for export signing) all the above, plus: Are you willing to stake your reputation on guaranteeing that the keyholder is the person they say they are? Personally, I have not signed *any* keys on my keyring /yet/ (except my own). IMHO, identity validation should only happen in person, or if you know the person well enough to recognise their voice, you could do it over the phone. For example, I could validate friends from Uni over the phone, but people from my local LUG (where email is the only main channel of communication) would only be validated face-to-face (maybe with exchange of other forms of ID). Of course, you only have to exchange key fingerprints over the validating channel, not entire keys. -- David Smith | Tel: +44 (0)1454 462380 Home: +44 (0)1454 616963 STMicroelectronics | Fax: +44 (0)1454 617910 Mobile: +44 (0)7932 642724 1000 Aztec West | TINA: 065 2380 Almondsbury | Work Email: [EMAIL PROTECTED] BRISTOL, BS32 4SQ | Home Email: [EMAIL PROTECTED]
