-----BEGIN PGP SIGNED MESSAGE----- Amidst all of the <exon> about the "fatal flaw", Mr. Scarenstein brings up (amazingly) an interesting point regarding signed posts that I have wondered about for a while. At 5:30 PM 1/29/96, Nathaniel Borenstein wrote (highly edited!):

Do you have my key in your key ring? I rather doubt it. So what good would it have done?

Have you downloaded my key from the net? Assume that you have. How do you know it's mine?

The issue of knowing that a signed post belongs to a particular individual has come up often. Clearly the best approach is verifying the key in person Failing that, however, I have adopted a strategy of maximizing the probablility that the key actually belongs to me. I do this by: 1. Including the fingerprint and where to get the key in my signed post (within the pgp sig) 2. Putting the key in a fairly secure place (i.e. on a machine controlled by my employer, but where I can check the key periodically 3. Putting the same key on the keyservers I could (and should) also place it on my web page as well. This is not to say that someone could not impersonate me by creating a key and placing it in all of these places, but I think it would be difficult, and probably not worth the effort. I am not real worried about this threat (but heck, if someone really wants to impersonate me, I'd be flattered). I think these measures are probably sufficient for a mailing list level of discussion. Any comments? (flames >/dev/null) Clay - -------------------------------------------------------------------------- Clay Olbon II | olbon@dynetics.com Systems Engineer | ph: (810) 589-9930 fax 9934 Dynetics, Inc., Ste 302 | http://www.msen.com/~olbon/olbon.html 550 Stephenson Hwy | PGP262 public key: finger olbon@mgr.dynetics.com Troy, MI 48083-1109 | pgp print: B97397AD50233C77523FD058BD1BB7C0 "To escape the evil curse, you must quote a bible verse; thou shalt not ... Doooh" - Homer (Simpson, not the other one) - -------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMQ4mjwS4mEMx6xUNAQFkjgP/QYovJZzguQy4yQqWYZQPCpZn1oU8VaCr 14JW7XIk29F4xDHEPT8YlCvt7lJ6aYvWNbFVpmTWzj8IiAgWwDeQZVbQyA+YRuMs w5kOF2brGAElln+j5hxtoIzvfy2lp+Jr8c6Q3yklCX6Yizt6G+Ma08HC1HkUZ2Jd d0GSBZwk4nw= =PF/1 -----END PGP SIGNATURE-----