On Wednesday 19 January 2005 21:58 CET Chris Gianelloni wrote: > On Wed, 2005-01-19 at 15:38 -0500, Aron Griffis wrote: > > Chris Gianelloni wrote: [Wed Jan 19 2005, 09:31:25AM EST] > > > > > In fact, for LWE > > > key signing, we require 2 forms of picture identification. > > > > Says who? > > http://dev.gentoo.org/~rajiv/LWE2004Keysigning/ > > Specifically look at #3 under the "What to do after the show" section. > Like I said, it is up to the signer.
Hmmm... | 3. Sign the key: gpg --sign-key <key-id>. GPG will ask how carefully you | verified the key. Many people will say they have done casual checking | after having verified one photo ID, and have done very careful checking | after having verified two or more photo IDs. | 4. Send the signed key back to the owner: gpg --armor --export <key-id> | | mail -s 'signed key' <owner-email>. If I (and the guide GPG prints when you have to choose the trust level) am not completely mistaken should you give away a sig3 (aka "very careful checking") only if you also verified the email address. I can give you at least five official IDs with my name and my picture on it but could still add a faked address to my key. That way I could later go phishing and send signed mails under a wrong address. From [1]: | As PGP/GPG-keys are mostly used for email, is's very important to check | email address 'and' user name. So a challenge/response-procedure is often | used here. You first send a encrypted random string to 'each' email | address which is listed within the key. If your counterpart sends back the | decrypted string, which matches your sent version, you sign the key. | (Note: the link between the name/ID and the email/key isn't ensured by | this procedure.) So | 5. Send the signed key back to the owner: gpg --armor --export <key-id> | mail -s 'signed key' <owner-email>. isn't enough, you've got to send one message for each uid. I think I linked at least two scripts to automate this here [2]. Cheers, Malte [1] https://21c3.ccc.de/wiki/index.php/GPG_Key_Signing_Party [2] http://del.icio.us/mss/pgp -- [SGT] Simon G. Tatham: "How to Report Bugs Effectively" <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html> [ESR] Eric S. Raymond: "How To Ask Questions The Smart Way" <http://www.catb.org/~esr/faqs/smart-questions.html> -- gentoo-dev@gentoo.org mailing list
