On second thoughts, Shreepadma sits right next to me so I will just ask her for the fingerprint. I guess we should make it a priority for signing the committer keys in meetups and the like.
Regards, Arvind On Tue, Sep 17, 2013 at 11:59 AM, Arvind Prabhakar <[email protected]>wrote: > Here is what I had in mind: > > - Shreepadma gives me the Key ID and Fingerprint over email > - I pull the key matching that ID from the keyserver and verify the > fingerprint > - If that information matches, I sign and publish the key > > Do you think this is not appropriate to do that? > > Regards, > Arvind > > > On Tue, Sep 17, 2013 at 11:54 AM, Joe Brockmeier <[email protected]> wrote: > >> On Tue, Sep 17, 2013, at 01:43 PM, Arvind Prabhakar wrote: >> > Hi Shreepadma, >> > >> > I am happy to sign and publish your key. Can you confirm the finger >> > print? >> >> Why would you sign a GPG key with confirmation over the Internet? How >> can you confirm that the key belongs to the person who you think you're >> talking to? Email is very, very easy to spoof. This does not give me >> confidence in a key that you're signing. >> >> Best, >> >> jzb >> -- >> Joe Brockmeier >> [email protected] >> Twitter: @jzb >> http://www.dissociatedpress.net/ >> > >
