On Sun, May 13, 2012 at 03:02:02PM +0100, Phil Dobbin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 13/05/12 12:31, Andrei POPESCU wrote: > > > On Vi, 11 mai 12, 17:49:30, Phil Dobbin wrote: > >> > >> & on the strength of that message, Slavko, it gave me great > >> pleasure to import & sign your key :-) > > > > Don't sign other keys unless you have met the owner in person. > > > If that was the strategy everybody adopted with PGP, there'd be very > few, if any, keys signed, ever. > > Thanks for the advice but I think I'll pass. > I think the point is that you do not necessarily have to sign a key in order for it to be useful. But if you sign keys without doing the same level of verification that I would do, then I can simply assign no trust to your key (which means that I don't trust the signatures that you've made to other keys). So your hypothetical low keysigning standards shouldn't affect me.
When you sign a key, you are asked how carefully you have verified the key that you are signing. "I have not checked at all" is a choice. I'm not sure I see the point in signing if you haven't checked at all. Maybe someone on the list can explain that one. I do think that sometimes verifying a key through online means is more effective than meeting someone in person. I don't know what the owner of a particular website should look like, and I'm not an expert an validating passports, drivers licenses, or other forms of ID (particularly not foreign ones). But I can verify that the person in control of the website has had the same GPG key posted every time I visited that website for the past year. It might take me quite a while to sign a key using that method but it's a valid method, and I think I could easily be fooled by an in-person imposter. -Rob -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
