Protecting IDs at a key signing party

Peter Lebbing peter at
Sun Jan 22 10:32:41 CET 2012

On 21/01/12 23:01, Robert J. Hansen wrote:
> Then they're signing it with *their* certificate, backed up by
> credentials that you yourself checked.  How is this a problem?

While I generally agree with you on the rest of your mail, this is not
necessarily the case. You met them at a keysigning party. They probably
presented you something they thought would prove their identity. If you read
"checked" as "you looked at it", then yes, probably that is also true :).
But I interpret "checked" here as "verified it was okay", and that is not
necessarily the case.

By the way, I think it's courtesy to send the signature to the key owner.
But it is not a security issue.

I have so far attended a keysigning party once. I noticed a few people had
not published my signature (don't know why)[1]. This also weakened my own
Web of Trust, which was not a big issue, but I still decided to do local
signatures on those keys that did not have my exportable signature. Fine.
But I also have a laptop, so I needed to export my local signatures,
etcetera. A lot of overhead, what with checking fingerprints again for the
local signature, all for a bit of courtesy...


[1] I have a slight tremor in the hands, and I noticed sometimes my passport
shaked a bit while I was holding it up so the person in front of me could
check it. Perhaps they thought I was bloody nervous because I was trying to
trick them??

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list