Re: Sign my key - Was (no subject)

[Francis Gulotta]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How do we know it's really yours or that you are really you? I'll accept
that this message was signed with it, but by signing you key it means I
have no doubt that it really does indeed belong to Dan Mundy. And I've
nver met him.

I personally don't have any signatures except from my other identities
(who have seperate keys instead of subkeys), I will have more, I'm
waiting for my local LUG's keysigning party after their next meeting. To
miss-quote someone else here. (It's got the same jist)

People travel long and far to get their key's signed.

I'd give you some links off hand (if I had any on hand) for how to find
any keysigning parties or people in your area who will meet with you to
sign your key. You should look yourself, and I'm sure there are plenty
of other people here who have those links handy.

Good luck.

- -Francis

Dan Mundy wrote:
 hey everyone, just letting you all know i'm new to mailing lists.
 
 by the way, here's my public key. make sure to sign it!
 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCoIAoTJEaZCt0gQsRAk0oAJ4vOh/8Vrfw+dysa4UoPDfOhexQdwCfeB4r
gZogKpH5OCVXUXyOw0kKtNQ=
=W/a9
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Sign my key - Was (no subject)

[Alex L. Mauer]

Francis Gulotta wrote:

How do we know it's really yours or that you are really you? I'll accept
that this message was signed with it, but by signing you key it means I
have no doubt that it really does indeed belong to Dan Mundy. And I've
nver met him.


I know this is rather controversial, but for a lot of people it doesn't
matter if the person really is Dan Mundy, since Dan Mundy is just a
string, and doesn't really have any inherent meaning attaching it to a
physical entity.

You can be *somewhat* sure that if you send an encrypted email to some
address, and they respond to its contents, that someone who has access
to that mailbox also knows the passphrase to the relevant key.

Physically meeting someone doesn't prove that the keyholder hasn't
shared the passphrase and private key.

If there's a picture UID on the key and it matches the person that you
physically meet, it doesn't prove that the person you met has the
passphrase to the key, or that they have access to the mailbox
associated with the key.

With a photo ID, it can prove (to the extent that they have proven it to
the ID issuer, i.e. not a whole lot) that the name on the key matches
the person you've physically met.  But if you interact primarily over
the net, that doesn't really matter.  There's a major missing link
between the email address and the physical person at the meeting.


For purposes of network addresses, I mostly couldn't care less if the
person who uses the email address [EMAIL PROTECTED] *actually* goes
by the name, or is known to some government by the name Dan Mundy.  What
I do care about is that the same keyholder who signed this message, also
signed that one, and I have some basis for believing they both came from
the same person. And *that* is the important step.  I can build up a
level of trust based on the contents of messages signed by that key.  If
he starts spouting crap that is inconsistent with prior messages, I can
lower my trust on the determination that his key has been compromised,
or he's gone nuts, or he's changed his mind.  But what he's actually
named by his parents is totally irrelevant to that.

If I was entering into some sort of contract with him, validating the
government ID might start to matter so I could enlist some governmental
aid in enforcing it, if it became necessary.  But the more risk I'm
taking in some contract, the less likely I am to trust any middle-men to
have verified someone's identity.

--
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
gpg/gpg key id: 51192FF2 @ subkeys.pgp.net


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Sign my key - Was (no subject)

[Dan Mundy]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Well, I'm glad someone out there saw that message... anyway, now
I've got the hang of these mailing lists!
Alright, I understand that nobody really knows I'm Dan Mundy.
But about key signing parties, you guys really are nerds! Oh
well, I guess I am one too... Anyway, I've been spreading the
word about gnupg, and hopefully some of my friends will get a
key.  In fact, I think by the end of the weekend, we will have a
new guy, so to speak...  Hope he joins this mailing list!

Dan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (MingW32) - GPGshell v3.44

iD8DBQFCoLJLTbbnG4BhqDARAg/DAKCDtq8YrX3zAly9qei5UidrhN7XJQCgmJVY
CbAK3PB5GrIkT//iqGIlB4w=
=V6WX
-END PGP SIGNATURE-



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users