On 30/09/2015 8:58 pm, Robert J. Hansen wrote: >> I create for myself a gpg key and want to get it signed > > More important than whether your certificate gets signed is who signs > the certificate, who they are connected to, and so on. > > Some people will sign almost anything. People who get a reputation for > signing anything develop a reputation for their signatures being > meaningless. Some people have very strong requirements before they'll > sign. Their signatures are often worth quite a lot of credibility, but > good luck getting them. > > The good news is this *can be done*. I promise. > > The best thing you can do right now is to get involved in the community. > Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are > three good ones). And when you post, sign your messages. Over time > people will come to trust that your signature connects to the real you, > even if they can't promise that your name really is David Niklas, or > can't say what you look like. >
Whilst that is partially useful, surely it only vouches for the fact that the postings came from the same person and not who that person is - and as such is of very limited use. I have a "newsgroup" key for that purpose - but it is a tad pointless. I think I know the person who calls himself Robert J. Hansen and you have certainly corresponded with someone called Robert H. Henson, but we have no idea who those people are unless we meet. Keys should only ever be signed in person and if the person is not well known to you by sight, with some form of irrefutable photo evidence being presented along with the key signature - a passport, or something carrying equal weight. There might be a possible exception where there is no individual person to meet - the verification signature with software, say. When you have downloaded the software from the same, known website for some time it might be reasonable to sign the verification key - if a tad pointless if it is only really a checksum. Perhaps the same applies to a Certificate Authority key, say. But a signature of any person's key that you have not met and positively verified is worse than useless as it degrades the whole trust process. Someone who I had never previously even heard of once signed my old, now revoked key - were that person someone "known" to be nasty, it would have degraded my key's value. The best it could have been is totally meaningless. Regards, Bob
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
