Email is *not* enough. Easily forged, easily intercepted, not secure. This mail could be coming from me, it could be coming from the NSA, it could be my cat jumping on my keyboard's function keys triggering emacs form-letter-mode. No way to tell. Cat already dumped my password and modem dialcodes into this mail message, and he's still pretty young :-) Building and maintaining a web of trust means we're all responsible for signing keys carefully, and making sure people know how careful our signatures are. Read through the READMEs a couple more times until you really understand the procedures! My view is that you should only sign a key if you really *know* that the person whose key your signing is that person and you've verified with them that you've got the right key. If somebody *you recognize* hands you their key, fine - I recognize about 10 or so well-known cypherpunks that I could do this with (plus other people who might be interested but aren't verbose contributors here :-) On the other hand, if Vesselin Bontchev asked me to sign his key, I wouldn't do it, because I don't know him by sight, unless somebody I know knows him personally introduced us. If somebody you know by *voice* wants you to sign their key, you'd better at least have a voice telephone call with them where you read key fingerprints over the phone. This is how I had Phil sign my key, and there are 3-4 others here I could probably do this with if I wanted. When you're adding people to your PGP keyring, pgp asks you how well you trust people to sign keys. You can trust me to do that much for identifying people, but on the other hand I've got a diskless workstation as the only thing I have that can do PGP until I get it on my wife's laptop, so you can't trust that my keyring hasn't been hacked -- that's why my pgp userid says "multiuser" in it. I really won't feel comfortable signing keys until I've got a secure system and we've got an RSAREF implementation that makes use of RSA kosher. If you're likely to sign keys for people you don't really know well, such as giving out starter PGP floppies at a trade show or rave or something, I suppose you could generate a separate key/userid that says it's not very secure, signed by your regular key, but do try to at least check easily-forged ID like driver's licenses for people you don't know, and encourage them to generate real keys and get them signed by people that *they* really know. It's not ideal; do people feel that's acceptable to get people initial connections? Bill # Bill Stewart wcs@anchor.ho.att.com +1-908-949-0705 Fax-4876 # AT&T Bell Labs, Room 4M-312, Crawfords Corner Rd, Holmdel, NJ 07733-3030