protecting pub-keys from unwanted signatures

[Viktor Dick]

On 16.08.2015 16:26, Stefan Claas wrote:
> if i understand you correctly it would not help me if someone
> would sign my key without my approval, so to speak.

Sure it helps. If Alice signs my key and Bob wants to send me something
and trusts Alice, he can derive some trust that my key is also genuine.
One could argue that anyone who I do not know and who anyhow signs my
key will probably not be (rightfully) trusted by anyone. However, some
magazines (I'm thinking of c't) for example might put their fingerprint
on each issue and someone who buys it might sign their key so that some
friend of theirs who has not direct access to that can still be somehow
sure that the key is correct.

I haven't looked at Facebook's public key, but let's assume that I want
to send them an e-mail and tell my client 'get the key of
info at facebook.com'. It will download the key with a lot of signatures,
some of which might be owned by someone in my web of trust. This person
has probably just checked that the fingerprint given on their webpage
matches the one of this particular key, but then that's something I do
not need to check myself.

(Not sure if that should be enough to sign a key, though...)

Kind regards
Viktor

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150816/59b78d7d/attachment-0001.sig>