On Tue, Sep 17, 2013, at 01:59 PM, Arvind Prabhakar wrote: > Here is what I had in mind: > > - Shreepadma gives me the Key ID and Fingerprint over email > - I pull the key matching that ID from the keyserver and verify the > fingerprint > - If that information matches, I sign and publish the key > > Do you think this is not appropriate to do that?
It is not appropriate to do that. It would be *very* easy for someone to see your message to this list, create another key, spoof the email, and send you the request with no way for you to verify that the key/email is from the person it claims to be from. Typically people do GPG signing in person. See: http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html Best, jzb -- Joe Brockmeier [email protected] Twitter: @jzb http://www.dissociatedpress.net/
