Third party information (was: Semi-automated trust, policy)

greg@turnstep.com greg@turnstep.com
Tue Dec 10 15:32:02 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> sign his key I found that while the key ID, date and some
> UIDs were there, the Fingerprint was missing.
>...
> and I still didn't sign it because he didn't list the
> fingerprint in his claim of ownership.
> 
> Am I being overly paranoid? (Apart from the fact that this 
> might serve as a lesson to take more care when preparing 
> for a key signing ;-)

No, you were not being overly paranoid. If someone made such 
a major mistake of leaving their fingerprint off at a keysigning, 
they do not deserve to be in the Wot. At the very least, I would 
not have helped them get deeper into it by signing their key. 

If anything, I think most people in general are not paranoid 
enough. I think the bare minimum should be checking the fingerprint, 
two picture IDs, and veryfying the email afterwards. In an ideal 
world, I'd have other people vouch for their identity as well; 
this is one reason why keysignings held at existing user group 
meetings (e.g. LUGs) work so well.

Greg Sabino Mullane greg@turnstep.com
PGP Key: 0x14964AC8 200212100929

-----BEGIN PGP SIGNATURE-----
Comment: http://www.turnstep.com/pgp.html

iD8DBQE99fq9vJuQZxSWSsgRAuIsAKCrqB5n+3R+xvFScMS/XkZXqe6RywCfc4yu
xijnnRWMuXl+XRG4IOjs/To=
=OOmR
-----END PGP SIGNATURE-----