[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Key signing, authentication



According to Christian D. Odhner:
> 
> Recently there was some discussion about when to sign somebody's public
> key and when not to. Does anybody have a short, to the point set of
> guidelines on when it is ok to sign? I think minimum requirements to sign
> would most likely be receiveing that key from the owner both on and off
> the net. That way somebody on the net who is doing man-in-the-middle type
> attacks is thwarted, as is somebody who gives you the key off the net with
> a false net-id. Anyway, I'm sure there's more to it than that, like are
> phone calls ok? I mean, how did you get the # anyway? And what about
> meeting the person in the flesh? How do you know they are the same person
> you talk to on the net? Thinking too much about this could make a person
> .realy. paranoid!

Well, I think I started that thread with a query.  I got lots of discussion and 
summarized the (most conservative) concensus in my .plan file.  You can read my
policy by typing finger [email protected].  Hope this helps.

>"The NSA can have my secret key when they pry
>it from my cold, dead, hands... But they shall
>NEVER have the password it's encrypted with!"

I love it! ;^)

> 
J. Michael Diehl   ;^)  |*The 2nd Amendment is there in case the 
[email protected]   | Government forgets about the 1st!  <RL>
[email protected]  |*God is a good Physicist, and an even 
    .fidonet.org        | better Mathematician.  <Me>
[email protected]|*I'm just looking for the opportunity to 
 (505) 299-2282 (voice) | be Politicly Incorrect! <Me>
Can we impeach him yet? |*Protected by 18 USC 2511 and 18 USC 2703. 
PGP Key = 7C06F1 = A6 27 E1 1D 5F B2 F2 F1  12 E7 53 2D 85 A2 10 5D