I'm having a philisophical problem reguarding when to sign someone else's public key. Obviously, if you watch someone generate a key, and they physicaly hand you a copy of it, you should sign it. Fortunately, life has been this good to me about 5 times. But what if life isn't so good? Lets say someone emails me a key and the return address matches that of the address in the key. Do I assume no one is spoofing me? You have to admit that this is possible albeit unlikely. What good is key certification if it only "probably valid?" I've noticed that many of the keys on the server are signed with the same person's key. I doubt that these people have had physical contact with each of the people who's key that they've signed. Am I just being paranoid, or is there a valid issue here? I welcome any of your comments. +-----------------------+-----------------------------+---------+ | J. Michael Diehl ;-) | I thought I was wrong once. | PGP KEY | | mdiehl@triton.unm.edu | But, I was mistaken. |available| | mike.diehl@fido.org | | Ask Me! | | (505) 299-2282 +-----------------------------+---------+ | | +------"I'm just looking for the opportunity to be -------------+ | Politically Incorrect!" <Me> | +-----If codes are outlawed, only criminals wil have codes.-----+ +----Is Big Brother in your phone? If you don't know, ask me---+