6 Jun 2003 obi   » (Journeyer)

I don't want to sound pedantic, and maybe I'm missing something, but how is one to verify that you are really who you say you are? Anyone can whip up a website with a phonenumber, say they're "Dan York", create a gpg key, and refer people to that website.

Maybe they were just paranoid, but the people who told me how to use GPG/PGP also told me to only sign some person's key if you actually met them in person, with some kind of proof that they are who they say they are (photo-id). Or maybe by checking the key fingerprint over the phone if you know the person, and his or her voice.

If I'd sign people without properly checking, the result would be that when people notice this, they'd simply adjust the trust they assign to my key, so that it wouldn't "weigh" as much in the trust calculations.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!