Michael Pobega wrote on Sunday, April 01, 2007 7:32 PM -0500: > On Sun, Apr 01, 2007 at 07:09:55PM -0500, John Hasler wrote: > > Michael Pobega writes: > > > Is it a bad practice to verify keyrings of people on the mailing > > > list, or is it better to wait until I meet up with some of them > > > at say Debconf or something similar? > > > > Depends on what you mean by "verify". There is nothing wrong with > > downloading their public keys and using them to verify that all the > > messages purporting to come from them are indeed signed with the > > same key and so probably did come from the same person. However, > > you should not sign someone's key unless you have met them, > > interviewed them, and examined and verified their credentials. > > > > What exactly is signing a key, and how does it work? > > I'd Google it...but I wouldn't know where to start.
It's a long story, but here's an attempt to make it short ... Public key cryptography has two keys: one public and one private. They are created as a pair and work together. The fact that you can verify a signature against a public key says that the person who signed the message had the private key corresponding to the public key. It says nothing about the identity of the person who created the signature. Public key signatures are more like notary stamps or seals than hand signatures. It says only that the person who signed the file possessed the seal. To help associate a public key with a personal identity, you have to meet someone in person, check an identity document to match a picture to their face. The person them gives you a piece of paper with a "fingerprint" of their public key. You can go home and affix your digital signature to their public key certifying that you are satisfied they are who they claim. Your signature gets added to their public key on the keyserver, so anyone who trusts you can have some trust that this key belongs to the person who claims it. This is how keys inherit trust. The more signatures on your public key, the more likely it is that a random third party knows either someone who signed your key, or knows someone who knows someone who signed your key, etc. As others have pointed out, this is not a guarantee of identity, but it is good enough for most purposes. -- Seth Goodman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
