protecting pub-keys from unwanted signatures
2014-667rhzu3dc-lists-groups at riseup.net
Wed Aug 19 00:54:41 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 17 August 2015 at 12:27:10 AM, in
<mid:55D11C4E.1010505 at unseen.is>, Administrador wrote:
> For me there is no trust in the fact that anyone can sign my key and put
> it on a keyserver, and because I do not know the person who did can not
> validate their signiture/identity.
For the time being, forget keys and think about people in the real
world. Do you know the name of everybody who knows your name? Do you
know the name of anybody who does not know your name?
> What trust does this offer the
> people who are real, trusted and known by me and whos keys have been
> validated by me and my key(s) by them?
None: if you know each other and have verified each other's keys, you
do not need a certification from anybody else. In that case all
signatures are just "noise".
What about somebody who has not verified your key, but has verified
one or more of the keys that have signed your key? They can use the
presence of those signatures as a factor in deciding whether to trust
your key. In that case, signatures from keys that person has verified
are useful _to_that_person_ but any other signatures are "noise"
_to_that_person_. The signatures that have been found useful in this
case won't necessarily be signatures from keys that you have verified,
but their presence may have enabled somebody to decide to trust your
> Give the owner the authority of his own public key and
> this issue would fixed. For example: Only the owner of
> the public key has the right to put/remove/modify his
> own public key on a keyserver.
If such a server were implemented, anybody wanting to add a signature
without the key-owner's sanction could fetch the key, sign it, and
upload it to an ordinary server.
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Free advice costs nothing until you act upon it
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users