protecting pub-keys from unwanted signatures

Stefan Claas admin at zwiebelfreund.de
Sun Aug 16 18:31:20 CEST 2015


On Sun, Aug 16, 2015 at 05:31:10PM +0200, Viktor Dick wrote:
> On 16.08.2015 16:26, Stefan Claas wrote:
> > if i understand you correctly it would not help me if someone
> > would sign my key without my approval, so to speak.
> 
> Sure it helps. If Alice signs my key and Bob wants to send me something
> and trusts Alice, he can derive some trust that my key is also genuine.
> One could argue that anyone who I do not know and who anyhow signs my
> key will probably not be (rightfully) trusted by anyone. However, some
> magazines (I'm thinking of c't) for example might put their fingerprint
> on each issue and someone who buys it might sign their key so that some
> friend of theirs who has not direct access to that can still be somehow
> sure that the key is correct.

Ok, i understand but it helps not to solve the issue of unwanted signatures,
which i'm talking about.
 
> I haven't looked at Facebook's public key, but let's assume that I want
> to send them an e-mail and tell my client 'get the key of
> info at facebook.com'. It will download the key with a lot of signatures,
> some of which might be owned by someone in my web of trust. This person
> has probably just checked that the fingerprint given on their webpage
> matches the one of this particular key, but then that's something I do
> not need to check myself.
> 
> (Not sure if that should be enough to sign a key, though...)
> 
> Kind regards
> Viktor
> 
Here's as an example the Facebook pub key:
https://pgp.mit.edu/pks/lookup?search=facebook+Inc&op=vindex

Should now GnuPG been enhaned, or the Key Server's been updated,
similar to the pgp.com one.in order to allow such things not in
the future?

Regards
Stefan



> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users




More information about the Gnupg-users mailing list