Re: OT: More about GPG signing
On 05/11/2012 08:34 AM, Rob Owens wrote:
> On Thu, May 10, 2012 at 05:32:25PM +0100, Tony van der Hoff wrote:
>> On 10/05/12 17:16, Brad Rogers wrote:
>>> On Thu, 10 May 2012 17:59:34 +0200
>>> Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
>>>
>>> Hello Ralf,
>>>
>>>> This resulted in "Valid signature, but cannot verify sender (Phil
>>>> Dobbin <bukowskiscat@gmail.com>)":
>>>
>>> Because there's no web of trust involving people that both you and the
>>> keyholder know.
>>>
>> So, the OP signs his mail to a list. I would guess that no web of trust
>> exists between him and 99.9% of the list members.
>>
>> What is the benefit of such a signature?
>>
> It establishes identity the identity associated with the signature. If
> Ralf had been signing his emails for the last 2 years, I would feel
> confident that I have a valid public key for "Ralf, the guy on the
> debian-user mailing list, who often answers questions about audio". Of
> course I don't know if he's "Ralf with black hair", or "Ralf who lives
> on Main St.", but for my purposes this is good enough.
>
> If I someday want to send an encrypted message to the Ralf that I know
> (debian-user Ralf), I can do it. For me, knowing Ralf's personal
> identity is not as important as knowing his online identity because our
> relationship is online. As long as I don't forget that, then seeing his
> signature in emails is a potential benefit to me.
>
GPG/PGP signatures will only ever have any real value to you if you're
part of a strong key set within the web of trust. That is to say if your
key and the other person's key have a chain of signatures from people
who have actually met and followed best practices for verifying the
identity before signing keys. Then, and only then, could you look at the
signature chain between your key and theirs and be confident in the true
identity. If I only sign the keys of people I have personally verified
and then they in turn only sign keys of people they have personally
verified then you can trust them to be an introducer. Their signature on
another key will let you know that they've verified them and because you
trust them then you can then trust this new key you've not signed.
It is a lot like getting a reference for someone. If you don't trust
their judgment are you honestly gonna trust them as a reference for
someone you haven't met? Along that same analogy, I prefer PGP/MIME
signatures as they are unobtrusive but available for verification by
those that wish to do so. Inline simply generates too much needless
noise and is a method that's at least 10 years out dated since the
PGP/MIME standard was adopted.
Reply to: