On Tue 2017-05-30 21:25:24 +0200, Stefan Claas wrote: > Let's assume we would exchange signed emails (PGP/SMIME) would these proofs > be enough for you to warrant a sig2? And for a sig3 an additional video > conference? > > The classical procedure would be to sign a key with a sig3 after seeing > the persons id-card in a real meeting. But who guarantees that the > id-card is not fake (if the person is a complete stranger)?
I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).
sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any more of the social graph
than it needs to.
In GnuPG, this is accessed via the "--ask-cert-level" flag. I explain
my reasoning further in a blog post titled "gpg --ask-cert-level
considered harmful":
https://debian-administration.org/users/dkg/weblog/98
--dkg
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
