key-signing for pseudonyms

Chris Fox dissectingtable at comast.net
Sun May 16 10:08:35 CEST 2004


Atom 'Smasher' wrote:

> here's a thought....
>
> let's say i meet someone and their key-name is a pseudonym. we want to
> sign each others' keys, but i have no idea who this person is.
>
> we can generate a random string (while face-to-face) and each write that
> down on paper (taking precautions that this shared secret remains secret).
> later, i generate (by myself) a second random string and email it to them,
> encrypted and signed. when they mail me back both strings, encrypted and
> signed, i sign their key and send it back encrypted (and delete my local
> copy of their key signature). when the signature appears publicly, can
> there be much doubt that i'm dealing with the same person i met?
>
> if both of us are using pseudonyms, we agree on two random strings when we
> meet... one string is their secret that they confirm with me, the other is
> my secret that i confirm with them.
>
> how secure (trusted?) is such a protocol?
>
> what level of trust (signature) would this earn?
>
> in such a situation, what disclaimers might someone use in a policy-url?
>
If you don't have a copy, you should get one, and the discussion you'd 
find most useful is in chapter 22.

http://www.amazon.com/exec/obidos/tg/detail/-/0471117099/qid=1084694789/sr=1-1/ref=sr_1_1__i1_xgl14/102-5881488-5636902?v=glance&s=books





More information about the Gnupg-users mailing list