Peter Palfrader wrote: >You miss the point, imagine the following situation: > >We meet, I show you my ID and give you the fingerprint. >My key has two IDs: > Peter Palfrader <[EMAIL PROTECTED]> > Peter Palfrader <[EMAIL PROTECTED]> > >You sign both and send the key to my primary address or upload it to the >keyserver. > >Congratulations, you have just allowed me to impersonate Peter Palfrader ><[EMAIL PROTECTED]>, who happens to be an all together different Peter >Palfrader than me. > >Now If I sign mails with that key ppl will trust that I'm the >[EMAIL PROTECTED] because after all _you_ signed that ID. > >If you had verified that I controlled [EMAIL PROTECTED], this could never >have happened. How can I _verify_ that? Suppose you have temporarily spoofed gmx.net; I "verify" that you are there and then you unspoof it.
All my signature verifies is that I personally met someone who presented a particular key. Do not put more trust in a web of trust than it deserves and do not trust it to guarantee what it cannot. -- Oliver Elphick [EMAIL PROTECTED] Isle of Wight http://www.lfix.co.uk/oliver PGP: 1024R/32B8FAA1: 97 EA 1D 47 72 3F 28 47 6B 7E 39 CC 56 E4 C1 47 GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839 932A 614D 4C34 3E1D 0C1C ======================================== "But as many as received him, to them gave he power to become the sons of God, even to them that believe on his name." John 1:12
