According to Christian D. Odhner:
Recently there was some discussion about when to sign somebody's public key and when not to. Does anybody have a short, to the point set of guidelines on when it is ok to sign? I think minimum requirements to sign would most likely be receiveing that key from the owner both on and off the net. That way somebody on the net who is doing man-in-the-middle type attacks is thwarted, as is somebody who gives you the key off the net with a false net-id. Anyway, I'm sure there's more to it than that, like are phone calls ok? I mean, how did you get the # anyway? And what about meeting the person in the flesh? How do you know they are the same person you talk to on the net? Thinking too much about this could make a person .realy. paranoid!
Well, I think I started that thread with a query. I got lots of discussion and summarized the (most conservative) concensus in my .plan file. You can read my policy by typing finger mdiehl@triton.unm.edu. Hope this helps.
"The NSA can have my secret key when they pry it from my cold, dead, hands... But they shall NEVER have the password it's encrypted with!"
I love it! ;^)
J. Michael Diehl ;^) |*The 2nd Amendment is there in case the mdiehl@triton.unm.edu | Government forgets about the 1st! <RL> Mike.Diehl@f29.n301.z1 |*God is a good Physicist, and an even .fidonet.org | better Mathematician. <Me> al945@cwns9.ins.cwru.edu|*I'm just looking for the opportunity to (505) 299-2282 (voice) | be Politicly Incorrect! <Me> Can we impeach him yet? |*Protected by 18 USC 2511 and 18 USC 2703. PGP Key = 7C06F1 = A6 27 E1 1D 5F B2 F2 F1 12 E7 53 2D 85 A2 10 5D