Keysigning
Drake Diedrich
dld at coyote.com.au
Wed Nov 21 20:34:35 EST 2001
On Wed, Nov 21, 2001 at 04:43:51PM +1100, Matthew Hawkins wrote:
>
> And congratulations, you've proved that the person who has a spoofed
> fingerprint can generate / purchase fake photo id as well.
>
What you've proven is that you've met a person asserting, in person and
having made some effort and potential risk (forging an official document),
that they claim ownership of the associated secret key. Just having a
fingerprint and showing up to get a signature won't do much good if they
don't actually have the secret key.
To do better, you can insist that the person engage in a signed
conversation to the email address in the signature before signing (and
including the personal introduction), which would also confirm the posession
of the email address by the holder of the secret key.
More information about the linux
mailing list