On 14-Feb-1998, Ender Wigin <[EMAIL PROTECTED]> wrote:
>
> Ok, I found a maintainer who will sign my pgp signiture ... but both of us
> are lost as to what exactly we have to do to "sign" a signature... Here is
> what he thought was the right way to do it.
>
> "I'll come over with my public key. We will compare id's, and then, if
> you want, you can sign my public key. You'll also give me a copy of
> your public key, for me to bring home and sign. Then I email you the
> signed copy of your public key (the email being signed and encrypted, of
> course). Does this sound right? I'm a little leery of the need to add
> my secret key to your machine in order for me to sign your key, which
> appears to be what is needed from my reading of the docs. I could be
> wrong, so if there is a better way, let me know."
>
> Is this the "right way"(tm) to do this ... is there a better way? ...
> Thanks...
Here's what was used when I did it. This works for groups as well:
- Before meeting exchange keys via email, or whatever.
(You might want to download them from the keyserver).
If there are lots of people, get one person to co-ordinate this
-- they should send out lists of names, key IDs and email
addresses, and prepare a "keyring" with all the participants
keys in it.
- Everybody meets.
Each person reads out their KeyID (from their own records, to
make sure the co-ordinator isn't swindling anyone),
and shows you their photo ID (to make sure they aren't
swindling anyone).
- If you are certain they are who they say they are (e.g. the
photo ID looks authentic), write down their KeyID and name.
It's nice if the co-ordinator sends you a list in advance,
then you can just tick them off.
- Go home and sign whichever keys you have ticked or written
down. Make sure the keys on the keyring match the KeyIDs
you have written down.
- Upload the signed keys to a keysever.
I found it was actually easier to scan and send it some photo Id with
your keyID written next to it. But it isn't as social.
