Signing a key (meaning)

Faramir faramir.cl at gmail.com
Fri Apr 8 02:29:55 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

El 07-04-2011 13:06, Charly Avital escribió:
...
> In another forum, one of the members signed my public key and uploaded
> it to the keyservers with his/her signature, without asking nor
> notifying me (the key was already on the key servers, but without this
> added signature)

  Oh, well, encryption faeries soon or latter will upload your keys to
keyservers. And you can't prevent people from signing it, specially the
newbies reading support lists.

> I didn't invite this person to sign my key.

  Yes, but the default setting of GnuPG is not encrypt to untrusted
keys, so the first thing a newbie might do is to sign the keys of people
providing support in the list. After all, "trust all" doesn't sound any
good.

> I don't know this person, never met her/him, never had any contact
> except the fact that we both participate in the same forum, together
> with other members.

  And it might be a good reason to issue a local signature, after all,
after reading some messages, we might want to "mark" your key as a key
belonging to somebody that provides advices we can trust. But local
signatures is something we don't learn on the first day.

> I decided against asking this person to revoke the signature.

  Yes, that would add more "noise" to your key. People could interpret
it as a signal of distrust, instead a "neutral" signal.

> I generated a new key pair (that I don't intend to upload to any key
> server, but instead I shall send it directly to people whom I correspond
> with), and I shall gradually "phase-out" the previous key, until I
> finally revoke it.

  As long as you write in support lists, I think that key would be
useful to you. And don't forget PGP faeries, your new key might be
uploaded, if one day one of your correspondents drink decaffeinated
coffee by mistake.

  Maybe we should have a "daily use key" for mailing lists, signatures
on nicknames and so, and another for "business".

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJNnlcCAAoJEMV4f6PvczxAUd0H/0uWJfoKLtjUjzr6GktEcyZd
4n4o7LXVqwpLPI9lSkpxzZnXItHhFG75DzgBK+j0rs03VSdJeKAk90l3aY0Y+aHE
iHx4dyAFsxRyDxc0kTwE5+1dVI4GxeEZPAF6i5M61XR5CiZNpc78z0XM8aRNSewK
AophLkTeQ9pjsUJ+BfFfF1zV/3mluBMfbdTdsz1J4Y1qaUOUMW8G6g32WPJENFx+
XC88WApSxo1UwZ9vC7NeGyNqvoiPYQls0q6CRH4h99uq4NbCLrf6JtzZ97VbxtP3
uanQV2d7dIPkEjNuP/aCPfXDxAW+KEiwO+GbQSK+dAEqi6w24cCBtc8c2la+0hE=
=ROAc
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list