[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: More about GPG signing



On Sun, May 13, 2012 at 03:02:02PM +0100, Phil Dobbin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 13/05/12 12:31, Andrei POPESCU wrote:
> 
> > On Vi, 11 mai 12, 17:49:30, Phil Dobbin wrote:
> >> 
> >> & on the strength of that message, Slavko, it gave me great
> >> pleasure to import & sign your key :-)
> > 
> > Don't sign other keys unless you have met the owner in person.
> 
> 
> If that was the strategy everybody adopted with PGP, there'd be very
> few, if any, keys signed, ever.
> 
> Thanks for the advice but I think I'll pass.
> 
I think the point is that you do not necessarily have to sign a key in 
order for it to be useful.  But if you sign keys without doing the same
level of verification that I would do, then I can simply assign no trust
to your key (which means that I don't trust the signatures that you've
made to other keys).  So your hypothetical low keysigning standards 
shouldn't affect me.

When you sign a key, you are asked how carefully you have verified the
key that you are signing.  "I have not checked at all" is a choice.  I'm
not sure I see the point in signing if you haven't checked at all.
Maybe someone on the list can explain that one.

I do think that sometimes verifying a key through online means is more
effective than meeting someone in person.  I don't know what the
owner of a particular website should look like, and I'm not an expert an
validating passports, drivers licenses, or other forms of ID
(particularly not foreign ones).  But I can verify that the person in
control of the website has had the same GPG key posted every time I
visited that website for the past year.  It might take me quite a while
to sign a key using that method but it's a valid method, and I think I could 
easily be fooled by an in-person imposter.

-Rob


Reply to: