Re: OT: More about GPG signing
On Sun, May 13, 2012 at 03:02:02PM +0100, Phil Dobbin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 13/05/12 12:31, Andrei POPESCU wrote:
>
> > On Vi, 11 mai 12, 17:49:30, Phil Dobbin wrote:
> >>
> >> & on the strength of that message, Slavko, it gave me great
> >> pleasure to import & sign your key :-)
> >
> > Don't sign other keys unless you have met the owner in person.
>
>
> If that was the strategy everybody adopted with PGP, there'd be very
> few, if any, keys signed, ever.
>
> Thanks for the advice but I think I'll pass.
>
I think the point is that you do not necessarily have to sign a key in
order for it to be useful. But if you sign keys without doing the same
level of verification that I would do, then I can simply assign no trust
to your key (which means that I don't trust the signatures that you've
made to other keys). So your hypothetical low keysigning standards
shouldn't affect me.
When you sign a key, you are asked how carefully you have verified the
key that you are signing. "I have not checked at all" is a choice. I'm
not sure I see the point in signing if you haven't checked at all.
Maybe someone on the list can explain that one.
I do think that sometimes verifying a key through online means is more
effective than meeting someone in person. I don't know what the
owner of a particular website should look like, and I'm not an expert an
validating passports, drivers licenses, or other forms of ID
(particularly not foreign ones). But I can verify that the person in
control of the website has had the same GPG key posted every time I
visited that website for the past year. It might take me quite a while
to sign a key using that method but it's a valid method, and I think I could
easily be fooled by an in-person imposter.
-Rob
Reply to: