[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning Party, et al...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 13 Jun 2000, Joey Hess wrote:

> Clay Crouch wrote:
> > Maybe I am wrong, but I do not feel the need to verify the key on disk.
> > A disk with UID/Fingerprint pair(s) written on the label, handed to me
> > by a person who's ID (DL, Passport, etc) I have seen suffices for me
> > to believe that the key(s) contained on the disk is indeed theirs.
> > After all, I recieved not just the Fingerprint/ID info for their key,
> > but *the_key_itself* from their hand. IMHO, that's 100% surety.
> 
> Did they have the disk in their possession from the moment they put the
> key on it until they handed it to you? Could it have been replaced with
> a similar disk, or altered in that time period? Are you able to take
> precautions to ensure these things don't happen from the moment you
> receive the disk until you use it?

Valid questions, to be sure. Correct me if I am expecting too much
from my fellow travelers, tho.... :^)

If I know I am traveling to or from a key exchange, you think I'd
let a keydisk out of my immediate posession, even for an instant?

Methinks not.

Would I be unreasonable to expect anyone else to act likewise? :^)

> These are all reasons I'm wary of disks for key-exchange, especially if
> one or both parties is traveling to meet the other. I personally like
> printed materials (business cards work well). East to keep safely on
> your person at all times. Easy to verify before you give to someone
> (just print it up in a distinctive way and memorize your key fingerprint).
> Easy to mark immediatly when you receive it to ensure it is not replaced
> behind your back (just sign it, then put it in your wallet).

Agreed. It would be simpler to do things this way. Maybe I _am_ paranoid,
but there _is_ a lot of internet between their keyring and mine.
Exchanging disks, with proper caution, eliminates _all_ possibilities
for covert attack. (Except for the case of forged ID/documents....)

But.... I'll concede that you all have convinced me. Printed media
will suffice, at least as far as Debian is concerned. :^)
 
> Yeah, this is paranoid, but paranoia is a good idea when signing keys,
> and can be a fun outlet too. ;-)

I always liked the decoder rings out of cereal boxes, anyway. ;^>
 
Cheers!
 ____________________________________________________________________
/ Clay Crouch                      | <danno@danno.tzo.com>           \
| Shameless Bum Emeritus :^)       | <http://danno.tzo.com/~danno>   |
+----------------------------------+---------------------------------+
|               Linux: The choice of a GNU generation.               |
+--------------------------------------------------------------------+
| PGP 94781680: 020E 793B 455D 9737 5956 1A3B 0AE8 807A 9478 1680    |
| GPG 7D2AD631: 2319 2356 FEDF 4631 63F3 762A E443 1C2A 7D2A D631    |
\____________________________________________________________________/
-----BEGIN PGP SIGNATURE-----
Comment: Made with pgp4pine

iD8DBQE5RjBF5EMcKn0q1jERAs9AAJ9rBcH6bYs9BY+swhnOppCY/uw1OwCfUqoW
htzKxOWwFgjXCjPX+2hqWCw=
=mYHh
-----END PGP SIGNATURE-----
Reply to: