Signing a key (meaning)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Apr 7 19:44:05 CEST 2011


On 04/07/2011 12:06 PM, Charly Avital wrote:
> In another forum, one of the members signed my public key and uploaded
> it to the keyservers with his/her signature, without asking nor
> notifying me (the key was already on the key servers, but without this
> added signature)
> 
> I didn't invite this person to sign my key.
> 
> I don't know this person, never met her/him, never had any contact
> except the fact that we both participate in the same forum, together
> with other members.

I'd say you've learned something about the reliability of this other
person's OpenPGP certifications.  If you were to publicly identify them
(in a forum where they have a chance to respond, to be polite), I think
you'd be doing a favor to everyone who might have otherwise considered
relying on these certifications.

> I decided against asking this person to revoke the signature.

I can understand this.  It seems like a losing game, especially since
you can't control whether they decide to revoke or not.  Besides, it's
not your fault or your problem if they made an unverified certification.

> I generated a new key pair (that I don't intend to upload to any key
> server, but instead I shall send it directly to people whom I correspond
> with), and I shall gradually "phase-out" the previous key, until I
> finally revoke it.

I don't understand this.  What are you trying to protect yourself from?
 Will you phase out this new key when one of your correspondents uploads
it to the public keyservers?

How do you plan to distribute updates or revocations to your correspondents?

> Yes, I know. Paranoia.

I have no problem with forms of paranoia that helps keep people's
communication safe.  I do have a problem with paranoia that makes
communications more problematic and does nothing to make things more
safe or reliable.  Why advocate the latter?

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110407/c5dd4128/attachment-0001.pgp>


More information about the Gnupg-users mailing list