On Wed, Apr 1, 2009 at 8:51 AM, Tim Starling tstarling@wikimedia.org wrote:
Private keys can be compromised by anyone with a whim and a few thousand dollars, either physically by compromise of the device, or remotely by social engineering or zero-day exploit. Key signing parties are premised on the idea that private keys are really private. Since they aren't, the additional security of a real-life meeting is somewhat farcical.
Moreover, what's to stop someone from showing up and claiming to be you? How are you going to confirm that -- by their telling you they're coming and what they look like, over the Internet? Why don't they just sign your keys over the Internet and skip the middle-man?
Not to be negative or anything, sorry. (I'm not even going to be there.)