Re: OT: More about GPG signing
On Thu, May 10, 2012 at 05:32:25PM +0100, Tony van der Hoff wrote:
> On 10/05/12 17:16, Brad Rogers wrote:
> > On Thu, 10 May 2012 17:59:34 +0200
> > Ralf Mardorf <email@example.com> wrote:
> > Hello Ralf,
> >> This resulted in "Valid signature, but cannot verify sender (Phil
> >> Dobbin <firstname.lastname@example.org>)":
> > Because there's no web of trust involving people that both you and the
> > keyholder know.
> So, the OP signs his mail to a list. I would guess that no web of trust
> exists between him and 99.9% of the list members.
> What is the benefit of such a signature?
It establishes identity the identity associated with the signature. If
Ralf had been signing his emails for the last 2 years, I would feel
confident that I have a valid public key for "Ralf, the guy on the
debian-user mailing list, who often answers questions about audio". Of
course I don't know if he's "Ralf with black hair", or "Ralf who lives
on Main St.", but for my purposes this is good enough.
If I someday want to send an encrypted message to the Ralf that I know
(debian-user Ralf), I can do it. For me, knowing Ralf's personal
identity is not as important as knowing his online identity because our
relationship is online. As long as I don't forget that, then seeing his
signature in emails is a potential benefit to me.