On Friday 15 November 2013 11:39:30 Phil Calvin wrote:
> On Nov 15, 2013, at 11:02, "Thomas Harning Jr." wrote:
> > The general practice I follow is to verify fingerprint and ID separately
> > then, in order to verify control of email address and private key, send
> > the signed ID encrypted to th
That makes perfect sense. That's the approach I took on the most recent key I
signed.
What attacks are mitigated by verifying control of the secret key, though? I am
having a hard time grokking the benefit for someone whose ID you have verified
to present and fingerprint a key which she does no
The general practice I follow is to verify fingerprint and ID separately
then, in order to verify control of email address and private key, send the
signed ID encrypted to the provided email address.
On Wed, Nov 13, 2013 at 11:49 AM, Phil Calvin wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Ha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I seem to recall reading somewhere that when exchanging keys in
person, you should not only have the person verify the key
fingerprint, but you should also present them with 1) an unpredictable
challenge document to sign or 2) verify that they can decr
