[clug-talk] LinuxFest - 'web of trust'.

simon simon at mungewell.org
Tue May 2 14:34:51 PDT 2006


On Tue, May 02, 2006 at 03:09:34PM -0600, Mitchell Brown wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> If you are not on a keyserver, should you bring your entire shared key?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12
> 
> iD8DBQFEV8qJ9/Zcz5CRxCIRAu67AJ4mLZtoUUvs+9CwydaJiJg7dOJDjgCeJaDV
> jhsobZgNk6THafqgaFmSsdM=
> =3Ach
> -----END PGP SIGNATURE-----
> 

Hi,
General convention is that you don't expect someone to insert a floppy
or flash card into their machine (you might have a clever virus on it),
and you should never place your secret key on a machine that you don't
trust (which you would need to do to sign a key).

So in the case where you don't want to make your public key public (lots
of valid reasons for than) that you can confirm identy and exchange
fingerprints, but then arrange to email each other your public keys.

You can then sign as normal and email the result back.

I have placed my public key on my website, so if it weren't on a
keyserver you could get it from there.

Another really interesting option is to print it out in machine readable
format, OCR is a possibilty but 2D barcodes are more fun :-)


Anothering thing to expect is that not everyone who takes your
fingerprint details will actually sign you key, so don't get upset if 
you don't get as many sigs as you where expecting......

Simon.



More information about the clug-talk mailing list