-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I seem to recall reading somewhere that when exchanging keys in person, you should not only have the person verify the key fingerprint, but you should also present them with 1) an unpredictable challenge document to sign or 2) verify that they can decrypt an encrypted message using the key in question. This would ensure they have access to the secret half of the keypair in question.
Is verifying proof of possession necessary or good practice, or is checking fingerprints (and, when you don't know the person, photo ID or similar) enough? Phil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Darwin) iQIcBAEBAgAGBQJSg62LAAoJEDe3IfDa5pYf6jwP/ApNoDfMbn3RtF8m494BAOFj 4S1EcJD+hn0nIhwABsZSpR3JsIFdK+5Sc4LDT2RnEmBhvo21Bn6l1W8GyCmbKqbA GOSPNBdSWLmnyNMQfOQ4pzKIyexs0qM610BG81pZaIEiDPTpNJxkZt1Uu4/Xlfvo mVnxf06tfp7h4ue04gznrKpAAKWPO7OG9XukCe93QxuOuP9L7B83jYQsg/wMBaFS x3smYgHfM8wrm4tsenbmnq8rCAMrZunl9n/BERjITcjQSPD8vZY5Ko81YyW47Fel qyiIVVJR6/xW0+LHLn3dx5Uyj3Da/vdfK43GKc5YDp76XdrMkk1Ts/KobfmgilGI WuWZesFlKb5zij93rKCIiEoKxkDnX3QvfgertXeHxZwsnEdxJyEtoGHDgb3lV0Gl jgaw/iWdJ9cJJIT8tIhvl6SMLV0Wa61OSjDk5XvfppFKU7WncqRn4UGjJKR1Q+9P ik7q2eyG6TjqtW3FTLCO165q/QF2BvWGDvoHqcymaw3Q1SzKKZ/Kq5L7kAc9UGXZ diZ3NOCZfPf608fqFF37zgZZlNVsbkThQcN4xhjqBoxeqch/0quvRXM/nWBnTXAk HDHe2DW3vy+BJ7wT1JKyAPKr19LNKvNlKi5og/4/3+FfVFELisgphUY+kf0m2Ops GzTfJIrwHTmwatg8rS4+ =4ll+ -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
