[KLUG Members] gpg key signing party.

[Adam Tauno Williams]

On Mon, 2006-02-20 at 10:07 -0500, Bruce Smith wrote:
> > > 2)  What if I upload my public key now, and change my mind later about
> > > my email addresses (I run adduid/deluid later).  I can I change my key
> > > on the server?  How?  Can I upload it again and overwrite it?
> > 
> > I'm not certain.  Do keys contain revision references?
> > > 3)  If I can change my key on the server, what keeps other people from
> > > changing my key?
> > You are uploading your public key,  it can't be generated without your
> > private key.  There is no reason to 'protect' the public key.  If it is
> > altered without the presence of the private key it will be invalid.
> I understand that, but it seems like anyone could generate a
> private/public key pair with someone else's email address and upload the
> public part.
> So why couldn't generate a key pair for my email and upload the public
> part and overwrite my public key?  (if overwriting is allowed)

Hence the finger print signing and trust mechanism.  You shouldn't
accept any old key as valid, the fingerprint defines the out-of-band
authentication mechanism.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/members/attachments/20060220/c98a7482/attachment.bin