A question about verifying keys
James Davis
jamesd at jml.net
Fri Dec 19 11:26:11 CET 2008
A colleague of mine asked me to send him a signed e-mail of fingerprints
of some keys that I'd personally verified earlier in the day. I'd also
signed the keys, and published the signatures to a public key server.
I argued that my signature on the publicly available keys was as good as
the signed e-mail of the fingerprints. He seemed to think that the
public key server introduced the possibility of meddling with the keys
(although I pointed out that if this was the case, my signatures
wouldn't verify).
Is a signed e-mail containing a fingerprint equivalent to signing a key?
James
More information about the Gnupg-users
mailing list