On Sat, Jan 21, 2012 at 10:50:11PM +0100, Gregor Zattler wrote: > IMHO by signing a key you make a statement about the connection > between a person or owner and the user id you sign, saying "I > somehow convinced myself that user owns this key". This only > makes sense if you have some insight into the matter that a > person which is confronted with the key only cannot have. Your > signature should add some information. Merely saying I'm > convinced that the user is the owner/originator of the key > because someone else already signed this key, does not make much > sense to me. I think you should have added a notation explaining > you reasoning.
I trust the encrypted connection between my browser and my bank, because the certificate they present to by browser is signed by a root CA that is installed in the browser. It seems possible to make a valid corollary with OpenPGP keys. I trust a key belongs to a specific user, because that key is presented to be to be owned by a specific person is signed by a root CA. Esentially, I'm using a CA as a 3rd party to casually establish identity. At this point, I can rest assured that the key this person claims is theirs is actually theirs. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o
pgpPCr5lSeq8u.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
