Re: Migrating to GPG - A mini-HOWTO
Martin Schulze <joey@finlandia.Infodrom.North.DE> writes:
> If the people that signed the key are still known and also use GnuPG
> these days, they can sign the new key as well. If not, the maintainer
> has to decide what to do. It's good to have the option to continue
> with the old key, though.
Are you saying that people should sign keys received via e-mail,
rather than face to face ?
If so, I'm strongly against this.
You should only sign keys which you have obtained from someone in
person, who's identity you are reasonably certain of (i.e. passport).
If I sign my GPG key with my PGP key, then people can decide if the
GPG key is worthwhile on that basis.
If I then go to a load of key signings and establish a GPG web of
trust, people rightly get a higher level of confidence in my GPG key.
That higher level of confidence would be misplaced if I'd simply
mailed my key to all my old PGP signers, and they'd signed it.