Why not wait until the next time you meet f2f? (also a great reason to have a meetup ;-) )
Patrick On Tue, Sep 17, 2013 at 11:59 AM, Arvind Prabhakar <[email protected]> wrote: > Here is what I had in mind: > > - Shreepadma gives me the Key ID and Fingerprint over email > - I pull the key matching that ID from the keyserver and verify the > fingerprint > - If that information matches, I sign and publish the key > > Do you think this is not appropriate to do that? > > Regards, > Arvind > > > On Tue, Sep 17, 2013 at 11:54 AM, Joe Brockmeier <[email protected]> wrote: > >> On Tue, Sep 17, 2013, at 01:43 PM, Arvind Prabhakar wrote: >> > Hi Shreepadma, >> > >> > I am happy to sign and publish your key. Can you confirm the finger >> > print? >> >> Why would you sign a GPG key with confirmation over the Internet? How >> can you confirm that the key belongs to the person who you think you're >> talking to? Email is very, very easy to spoof. This does not give me >> confidence in a key that you're signing. >> >> Best, >> >> jzb >> -- >> Joe Brockmeier >> [email protected] >> Twitter: @jzb >> http://www.dissociatedpress.net/ >>
