On Mon, 22 Dec 2003 20:02, Marcel Weber <[EMAIL PROTECTED]> wrote: > Russell Coker wrote: > > Signing a key you don't know is not a good idea, it's easy to > > accidentally upload a key... > > > > There is a gpg option "lsign" which can be used for this, it's like a > > regular signature but it can never be exported. > > Right: But if he is sure he trusts this key he should sign it and upload > it to the key server.
If he is sure because he verified the key fingerprint while meeting the owner in person, and the owner provided photo-id (or is someone he has known for many years) then he can do that. Alternatively signing a key based on a phone call with someone you know well enough to recognise their voice may be OK. Being sure because "the key servers generally have the right data" is of course not a reason to upload. I assume that if he had met the person and verified the fingerprint then he would have signed the key and we wouldn't be having this discussion. If he hasn't met them then it should not be signed. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
