On 09/16/2013 06:32 AM, atair wrote:
Hi all,
I'm now in the situation to sign one other's key for the first time.
He signed mine some days ago and sent me an email "Your PGP key
<keyid>" to each UID of my key with an attached file
"<my-keyid>.<index of UID>.signed-by-<his-keyid>.asc".
I know that I can use --sign to sign the key and then --export to
export it, but I don't know how to do this for each UID (content of
attached files differ). I also discovered, that there's a sign, lsign,
... in the interactive mode with --edit-key -- what are they for/how
do they differ from normal --sign?
To me, this seems like a standard procedure/template, is it? Where to get it?
To me this looks pretty good, as it respects the signed person's
freedom to publish the signature on the keyservers he/she wants to
(and not me doing sth. with one others key).
The way that your signer did it is _a_ standard way to do it. CAFF is a
very popular program for that, and there is another here that is also
pretty good: http://www.phildev.net/pius/news.shtml
I have another philosophy that works for me because I prefer not to sign
uids that are not valid. I send encrypted e-mail to each uid with a
pseudo-random string and ask the person to send me back the string in a
signed message. That allows me to determine if the person has control of
all 3 elements of the uid; the e-mail address, private, and public keys.
As a pleasant side effect it also gives me a chance to judge their
competence with PGP, which allows me to assign a better trust value to
folks I did not previously know.
I have the script to do this here:
https://dougbarton.us/PGP/gen_challenges.html
hope this helps,
Doug
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
