How trust works in gpg...

David Shaw dshaw at jabberwocky.com
Tue Apr 15 18:39:07 CEST 2008


On Tue, Apr 15, 2008 at 04:09:51PM +0100, Peter Lewis wrote:
> Please excuse one final question: I have signed keys with one person (A), whom 
> I trust fully, and he has signed keys with another person (B), whom I know, 
> but with whom I have not signed keys. B's key is (correctly) showing as 
> *valid*. Should I still wait until I can check his identity using the 
> photo-id and fingerprint, or is this now good enough for me to sign B's key?
> 
> I wouldn't have thought so, but I just want to make sure I'm
> absolutely clear about this stuff.

You are correct.  You should not sign his key until you check his
identity.  Signing his key is making a statement that you confirm his
identity, and in the example above you cannot make such a statement.

David



More information about the Gnupg-users mailing list