Re: Things we should know about PGP

[Jon Dowland <jmtd@debian.org>]

On Wed, May 09, 2012 at 01:32:12PM +0200, Ralf Mardorf wrote:
> When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly
> explained that his key was signed by another he owned, which in turn was
> signed by *someone else entirely*."
> 
> A chain of unsigned keys for one and the same person, with one key at
> the end of this chain, that is signed by one person only or even enough
> persons signing it, is useless. This isn't the correct way to sign a
> key, since it's not secure and not handy.

I didn't check beyond the other person: if they have sigs on their key,
then it's feasible Mika is joined to a/the web of trust.  Rather than
try to manually construct such a path,  I fed Mikka's key into pathfinder
web sites, but his key is not widespread enough, and the ones I tried
didn't know about him.  I did not rule him out of the web of trust, nor
prove him in.

> OTOH, when do you really need signing? More likely is that you will
> encrypt mails, e.g. to ensure that if you write to a family with young
> children, using the same computer, only the parents can read mails with
> contents that aren't good for children. In such a case it's not needed
> to ensure that the key is trusted. It's only important that the parents
> know how to decrypt and the children don't know it. This anyway prevents
> against manipulating the mails content, without signing.

IME I've signed many mails and verified many signed mails and very rarely
encrypted messages. In fact the only times I have encrypted or decrypted
mail was when sending signatures of someone's key to themselves.
I suppose different people have different use-cases.

-- 
Jon Dowland