Faramir at
Wed Dec 3 22:34:40 CET 2014

Hash: SHA256

El 02-12-2014 a las 7:53, Robin Mathew Rajan escibió:
> Hello David, :)
> I already uploaded my public key to a public key server some months
> ago. But there's no local Linux users group where I live! I sent
> emails to some people listed at with my Government
> issued ID card attached. But no reply came from them. :( Some of
> them are CACert Assurers!

  CAcert requires face to face meetings, since we (yes, I'm an
assurer) must check the government issued ID and try to figure out if
it has been tampered. Then we must compare the picture with your face,
to make sure you are you, and not someone else with your ID.

  But the purpose of getting a signature in your key is to:
1.- allow the person that issues the signature to trust your key validity.
2.- allow people trusting the signature issuer's judgement to trust
your key validity.

   So, if you get CAcert's signature, it allows people trusting CAcert
procedures to consider your key as valid, but it won't have any
meaning for people that doesn't trust CAcert. Several persons in this
list falls in that category. A signature from a local linux users
group would mean nothing to me, since I don't know any of them, and I
don't know what kind of validation they do before signing a key.

   In other words, you want signatures, but not just any signature,
you want signatures that have some meaning for the people that will be
exchanging messages with you. I know when I first made my key, I
wanted it signed, as if it was some kind of autograph book, but after
a while you realize it just increases the key's weight. Nothing to
worry too much about, since while you can't remove signatures from
keyservers (and you can't prevent somebody from fetching your key from
a keyserver, signing it with 200 bogus keys, and uploading it again),
you can still clear your local copy of your key, and send it by email
to one of your friends. And your friends can also fetch your key and
clean it from all the meaningless signatures it may have (meaningless
to them, as I said, it depends on each person).

   For some uses, I could use a key carrying only a nickname, and
exchange signatures with my gaming alliance, and that would be OK,
since I won't be exchanging any world domination plan with them. If I
were working with a customer that is a representative of a bank, and I
had to email him the user and password for the server I just setup for
them, I'd require a face to face meeting to sign his key (and I
wouldn't mind too much about what name is on the key, I'd care about
the person that uses the key. If they key says "Barak Obama", I'd
issue a local signature, so I can still use the signature to verify
the key's validity, and I would not be vouching to the world the key
belongs to "Barak Obama"). Or I could trust the signature already
issued by my boss.
   By the way, that was just an example, probably any customer
requesting me to give them the server login info would accept it in
plain text over email, or maybe using whatsapp. If "paranoid", they
may request the user name being sent by mail and the password by SMS.
Yes, it's frustrating.

  Best Regards
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird -


More information about the Gnupg-users mailing list