Here is what I had in mind: - Shreepadma gives me the Key ID and Fingerprint over email - I pull the key matching that ID from the keyserver and verify the fingerprint - If that information matches, I sign and publish the key
Do you think this is not appropriate to do that? Regards, Arvind On Tue, Sep 17, 2013 at 11:54 AM, Joe Brockmeier <[email protected]> wrote: > On Tue, Sep 17, 2013, at 01:43 PM, Arvind Prabhakar wrote: > > Hi Shreepadma, > > > > I am happy to sign and publish your key. Can you confirm the finger > > print? > > Why would you sign a GPG key with confirmation over the Internet? How > can you confirm that the key belongs to the person who you think you're > talking to? Email is very, very easy to spoof. This does not give me > confidence in a key that you're signing. > > Best, > > jzb > -- > Joe Brockmeier > [email protected] > Twitter: @jzb > http://www.dissociatedpress.net/ >
