How trust works in gpg...
dshaw at jabberwocky.com
Tue Apr 15 18:39:07 CEST 2008
On Tue, Apr 15, 2008 at 04:09:51PM +0100, Peter Lewis wrote:
> Please excuse one final question: I have signed keys with one person (A), whom
> I trust fully, and he has signed keys with another person (B), whom I know,
> but with whom I have not signed keys. B's key is (correctly) showing as
> *valid*. Should I still wait until I can check his identity using the
> photo-id and fingerprint, or is this now good enough for me to sign B's key?
> I wouldn't have thought so, but I just want to make sure I'm
> absolutely clear about this stuff.
You are correct. You should not sign his key until you check his
identity. Signing his key is making a statement that you confirm his
identity, and in the example above you cannot make such a statement.
More information about the Gnupg-users