On 10/02/2015 06:55 PM, Faramir wrote: > ... > Well, you don't really need your key signed for that... at least, > not the key with your name on it. You can make a key using the name > "mysoftwarename distribution key", and use it to sign the files. Once > people start using the software, they may sign the key. They don't > know who is behind the key, but they will know it is the same key that > has been using since day 1. >
I agree with this sentiment. I have locally signed Niibe's and Werner's distribution keys, meaning the signatures are not exportable. I have not verified their identities, but the fingerprints match those on their website and listed in the announcement e-mails about the software. I would not be able to definitively say that those keys belong to a person named Werner Koch or Niibe Yutaka, but they do belong to the people claiming to have those names and consistently releasing software under those names. Since the keys do not change with every release, it is reasonable to assert that it is the same people/person every time. Point is, you don't need to have your identity verified for people to trust your key. All my keys are self-signed. I revoked the original key I created and created this one. I signed this key with the old one before revoking it. Therefore, you could roughly assume that I am the person who controlled the secret material to the previous key with this UID, since this key is signed by that one as well. My name may or may not really be "Antony Prince", but the keys created with that UID are chained together by their signatures. I could go even further and make a short web page listing the previous and current fingerprints and why I revoked the previous key (called a "transition statement", IIRC) and even sign that message. I have not done this because my identity as far as my gpg key goes is not under that much scrutiny or of that much importance to anyone that I'd need to go to those lengths. -- Antony Prince Key ID: 0xAF3D4087301B1B19 Fingerprint: 591F F17F 7A4A A8D0 F659 C482 AF3D 4087 301B 1B19 URL: http://keyserver.blazrsoft.com/pks/lookup?op=get&search=0xAF3D4087301B1B19
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
