PGP signatures.
Patrick O'Callaghan
pocallaghan at gmail.com
Wed May 28 19:28:29 UTC 2008
On Wed, 2008-05-28 at 13:06 -0400, Todd Zullinger wrote:
> Patrick O'Callaghan wrote:
> > On Wed, 2008-05-28 at 08:04 -0500, Aaron Konstam wrote:
> >> Ok, I agree with your analysis. It can't be ruled as invalid if had
> >> not been retrieved. But I am ignorant. I do not know how to do the
> >> signing
> >
> > gpg --sign-key <name>
>
> Bzzt! Don't do that. Not unless you have:
>
> 1) Verified the details of the key (fingerprint, size, and type,
> at least)
>
> 2) Verified the email address used (perhaps via a simple challenge
> email asking the key holder to sign some data of your choosing and
> return it to you)
>
> 3) Done some sort of validation that the name on the key is really
> the name the key holder is known as
>
> There is nothing to be gained by just signing a key to make the
> "invalid" warning go away. And in fact, it can be harmful. If you
> use --sign-key and then even send that key to someone else or to a
> keyserver, others may take your signature to mean that you've done
> some or all of the verification I mentioned above. If you haven't,
> you're harming your reputation, as no one wants to trust the
> signature from someone that doesn't do any verification. (Think of
> signing a key as you would notarizing a document. You wouldn't stamp
> your seal on something without some checking.)
>
> If you really must silence the warning (and I would argue that there
> is no point in that), you can use gpg --lsign-key to create a local
> signature. Such a signature will not ever be exported.
Correct, I should have said --lsign-key.
poc
More information about the fedora-list
mailing list