gpg: failed to create temporary file '/var/lib/lurker/.#lk0x581b3100.hantslug.org.uk.10294': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Mon Dec 14 19:27:46 2009 GMT
gpg: using DSA key 2099B64CBF15490B
gpg: Can't check signature: No public key
Hi James,
On Mon, Dec 14, 2009 at 04:12:38PM +0000, James Courtier-Dutton wrote:
> One does not actually have to sign the keys in the presence of the person.
Personally I will want to see some government-issued photo ID, which
generally means meeting in person.
I will do the actual signing at a later date when I have time.
> For example, I could exchange business cards with ones name and key
> finger print number. They would know the key finger print number was
> mine because I gave it to them in person.
> That person could then sign my key later and email it to me, and visa versa.
> The important bit is ensuring that the name on the business card is
> actually the same as the person giving it to you.
> At which point one gets into the area of "identity management" .
> I.e. Person X introduced himself as Fred Bloggs and gave me a business
> card with "fred bloggs" written on it with a key finger print.
> I have no way of knowing 100% that Person X is in fact Fred Bloggs.
> All I can be sure of is that if I then get a digitally signed email
> from someone calling themselves Fred Bloggs, and the signature key
> matches the key finger print on the business card I was given, I can
> be fairly sure that it was sent by person X.
The problem is that others will be using third party signatures as a means to
know that this person really is who they say they are. If not
actually verifying that they are who they say they are then it might
be better to only locally sign, so that it works for you but others
don't depend on it.
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
