1992-12-10 - No more PGP keys without signatures, please!

Header Data

From: gnu (John Gilmore)
To: cypherpunks@toad.com
Message Hash: ed83b606879bdd3356efad719e3c2fc4927d469da7fea4268963f295f326dd0a
Message ID: <9212101103.AA02644@toad.com>
Reply To: <9212080624.AA17822@soda.berkeley.edu>
UTC Datetime: 1992-12-10 11:03:08 UTC
Raw Date: Thu, 10 Dec 92 03:03:08 PST

Raw message

From: gnu (John Gilmore)
Date: Thu, 10 Dec 92 03:03:08 PST
To: cypherpunks@toad.com
Subject: No more PGP keys without signatures, please!
In-Reply-To: <9212080624.AA17822@soda.berkeley.edu>
Message-ID: <9212101103.AA02644@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


People continue to post PGP keys that are not vouched for by anyone.
E.g. none of the keys for remailers has any signatures.  This makes it
impossible to trust those remailers, since anyone could have generated
such a key and sent it through a remailer saying it was from someone
else.

If you put up a remailer service, sign its key with your personal key,
at least.  Preferably get a few other people to sign it (by showing them
that they key is really the one used in the remailer, in person).

If you generate a key for yourself, don't just post it -- take it to
a friend, and cross-sign each others' keys.  If you do that a few times,
then you can post it, and the receipients are likely to know one of those
friends, possibly trusting them to certify your key.

	John





Thread