[Foundation-l] PGP-keysign at the tech/chapter-meeting

Wed Apr 1 13:48:15 UTC 2009

On Wed, Apr 1, 2009 at 8:51 AM, Tim Starling <tstarling at wikimedia.org> wrote:
> Private keys can be compromised by anyone with a whim and a few
> thousand dollars, either physically by compromise of the device, or
> remotely by social engineering or zero-day exploit. Key signing
> parties are premised on the idea that private keys are really private.
> Since they aren't, the additional security of a real-life meeting is
> somewhat farcical.

Moreover, what's to stop someone from showing up and claiming to be
you?  How are you going to confirm that -- by their telling you
they're coming and what they look like, over the Internet?  Why don't
they just sign your keys over the Internet and skip the middle-man?

Not to be negative or anything, sorry.  (I'm not even going to be there.)