On Wed, Apr 1, 2009 at 8:51 AM, Tim Starling <tstarling(a)wikimedia.org> wrote:
Private keys can be compromised by anyone with a whim
and a few
thousand dollars, either physically by compromise of the device, or
remotely by social engineering or zero-day exploit. Key signing
parties are premised on the idea that private keys are really private.
Since they aren't, the additional security of a real-life meeting is
somewhat farcical.
Moreover, what's to stop someone from showing up and claiming to be
you? How are you going to confirm that -- by their telling you
they're coming and what they look like, over the Internet? Why don't
they just sign your keys over the Internet and skip the middle-man?
Not to be negative or anything, sorry. (I'm not even going to be there.)