octave-maintainers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OctConf 2014] OpenPGP key signing anyone?

From: Mike Miller
Subject: Re: [OctConf 2014] OpenPGP key signing anyone?
Date: Wed, 17 Sep 2014 11:15:17 -0400 
[Trimming help@ from cc]

On Wed, Sep 17, 2014 at 16:14:56 +0200, Juan Pablo Carbajal wrote:
> On Wed, Sep 17, 2014 at 3:34 PM, Mike Miller <address@hidden> wrote:
>> hard copies of your key fingerprint
>
> Sorry for my ignorance. what would a that hard copy be?
> Is not that I am going, but as you noticed I do not know much about
> this phenomenon.

No problem, happy to answer questions. What I mean is to bring slips
of paper with the details of your OpenPGP key fingerprint and UIDs,
preferably enough to hand out to however many people you would expect
to interact with.

If there had been more interest, I would have coordinated by
collecting everyone's key information over email and sending out a
single document that contains all the keys so everyone doesn't drown
in little pieces of paper.

The actual in person exchange and verification of keys between two
people requires no computer, just one or more photo IDs and slips of
paper from each party with the output of `gpg --fingerprint`. Let's
say you hand me a piece of paper that has your key's fingerprint and
your name and email address(es) associated with the key (exactly what
`gpg --fingerprint` produces) and a photo ID or two. I will try to
verify that the photo ID matches the person standing in front of me,
and that the legal name on the photo ID matches the name(s) on the
key. If everything looks good, I return your photo ID, keep the paper,
make a note that everything checks out, and then later I can digitally
sign your key at a computer that I trust.

Signing involves downloading your key from a public key server, making
sure that the fingerprint from the downloaded key exactly matches what
was on the slip of paper you handed me, and then using gpg or other
program to sign the key and send it back to you or to a key server. By
signing your key, I am indicating that (1) I trust that a signature
made with your key from your email address was actually signed by you
and no one else, and that (2) I trust that I can send something
encrypted to your key and email address and it will only be able to be
decrypted by you and no one else.

-- 
mike
reply via email to
[Prev in Thread] Current Thread [Next in Thread]