[Nottingham] (no subject)

Rory Holland me at rory.sh
Sat Nov 21 16:58:24 UTC 2015


As if anyone uses these for anything anyway.

I did have a thought the other day: It might be cool to buy one of the new
.pub domains just to put one's key on though. I haven't done so, but e.g.

curl rory.pub | gpg --import



Rory Holland <me at rory.sh>
Contact info & PGP key: http://rory.sh

On 21 November 2015 at 14:59, Roger Light <roger at atchoo.org> wrote:

> On Sat, Nov 21, 2015 at 10:03 AM, david at gbenet.com <david at gbenet.com>
> wrote:
>
> > People had have my old key will be aware they share the same information.
>
> The point is that there's no guarantee it is in fact linked to you.
> They met you, presumably checked your credentials, then signed your
> key. This time, all there is is an email from someone alleging to use
> the same email address (which isn't the same as in the key), signed by
> the new key. Anybody could forge a mail with a fake gpg key saying the
> same, without some link between the old key and the new there is no
> reason to assume they are connected.
>
> I've attached a different gpg key with the exact same parameters as
> yours. By your reckoning, everyone should assume that it belongs to
> you as well, which is clearly not the case.
>
> If you don't care about the web of trust aspect, then sure ask people
> to sign your keys without verification, but you should bear in mind it
> then doesn't mean anything.
>
> Cheers,
>
> Roger
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20151121/f1dfe245/attachment.html>


More information about the Nottingham mailing list