On Wednesday 28 May 2008 20:26:19 Patrick O'Callaghan wrote: > On Wed, 2008-05-28 at 17:49 +0100, Anne Wilson wrote: > > On Wednesday 28 May 2008 17:11:07 Mikkel L. Ellertson wrote: > > > Tim wrote: > > > > Patrick O'Callaghan: > > > >>> gpg --sign-key <name> > > > > > > > > Bill Crawford: > > > >> --lsign-key, please, unless you have met the person and seen their > > > >> passport. > > > > > > > > A good idea, but could you tell a forged passport apart from a real > > > > one? I'm sure that I couldn't. Likewise for other forms of ID, I > > > > couldn't tell a real one from a good fake, and I'd have no way to > > > > verify a real ID. > > > > > > > > Though I seriously doubt that most of use would be using gpg in a way > > > > that required such a level of personal identify assurance. > > > > > > I started signing my email to the lists when a couple of messages > > > hit a list with my email address that were not from me. This way, a > > > forged message stands out because of the lack of signature, or a > > > because it is signed by a different key. > > > > For me, it was when someone accused me of sending a virused email, again > > on a forged message. > > Anne, your signature on a message guarantees that you sent it (actually > all it does is guarantee that it was sent by someone with access to your > private key, but anyway), however the absence of your signature doesn't > guarantee that you didn't send it. Your protestations that you always > sign your mail have the same weight as saying you don't send viruses, so > I don't see the gain in this specific example. > I tried to explain about looking at headers and comparing the originating IP with a message known to be from me, but that was too much for the person in question. As you say, the presence of my key shows that it originated from one of my computers. That's good enough for the purpose. > > It is important, though, to maintain the web-of-trust. It does have > > legal implications, and that's why local signing is an option. > > IANAL etc. etc. but what is your basis for saying it has legal > implications? Some PKI systems may indeed have them, but GPG is not a > PKI system. > IANAL either, but I understand that there have been contracts accepted in law on the strength of such a signature. Of course that has no relevance for me :-) What exactly do you mean by 'GPG is not a PKI system'? Anne
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list