signing keys
Ingo Klöcker
ingo.kloecker@epost.de
Wed Jan 30 01:20:01 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Markus, I guess your message should have gone to the GnuPG mailing list.
On Tuesday 29 January 2002 12:39, markus_kampkoetter wrote:
> Ingo Klöcker schrieb:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Monday 28 January 2002 19:08, Davide Cavallari wrote:
> > > You know, I'm just new to openPGP. If I want a friend of mine to
> > > securely sign my public key I think she should call me over
> > > the phone as it is explained in the original Zimmermann's
> > > manual. She cannot completely trust the information gained from
> > > my 'X-PGP' headers, since in this case there is no 'history' at
> > > all.
> >
> > Even better would be if you personally gave her a printout of your
> > key's fingerprint. Only if she knows your voice very well and if a
> > personal exchange of fingerprints is not possible you should use
> > the phone-call-method.
> >
> > Regards,
> > Ingo
>
> hi to all! (and sorry i do not use gpg at the moment)
> in the above case you should not use any wireless phone.
Why? No confidential information it exchanged over the phone. The only
piece of information which is exchanged is the key's fingerprint (which
is not secret but public because it's the fingerprint of the public
key).
> to be true, this discussion seemes to be very theoretically (but
> still interesting). i am new to the theme but have there been
> `exploits´ in a way that somebody created `evil´ keys?
Yes. There were already some keys created by unknowns with the identity
of other people. IIRC there is a fake key with Phil Zimmermann's name
on it.
> if a strong/powerfull/rich
> person/state/organization would really like to know what _you_ are
> doing on your computer they easily can scan your monitor.
...and put a key logger in your keyboard. BTW, AFAIK it's not possible
to 'scan' a LCD display because they emit far too low radiation (if at
all).
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8VzVKGnR+RTDgudgRAt2fAJwLPS/NUURVblGpNg3nnEhVuWi+hACfYwpp
taMizyTkuSKEqP1oab6LbYo=
=fSYR
-----END PGP SIGNATURE-----