How to get your first key signed
Bob Henson
bob.henson at galen.org.uk
Thu Oct 1 10:33:59 CEST 2015
On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
>> I create for myself a gpg key and want to get it signed
>
> More important than whether your certificate gets signed is who signs
> the certificate, who they are connected to, and so on.
>
> Some people will sign almost anything. People who get a reputation for
> signing anything develop a reputation for their signatures being
> meaningless. Some people have very strong requirements before they'll
> sign. Their signatures are often worth quite a lot of credibility, but
> good luck getting them.
>
> The good news is this *can be done*. I promise.
>
> The best thing you can do right now is to get involved in the community.
> Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> three good ones). And when you post, sign your messages. Over time
> people will come to trust that your signature connects to the real you,
> even if they can't promise that your name really is David Niklas, or
> can't say what you look like.
>
Whilst that is partially useful, surely it only vouches for the fact
that the postings came from the same person and not who that person is -
and as such is of very limited use. I have a "newsgroup" key for that
purpose - but it is a tad pointless. I think I know the person who calls
himself Robert J. Hansen and you have certainly corresponded with
someone called Robert H. Henson, but we have no idea who those people
are unless we meet. Keys should only ever be signed in person and if the
person is not well known to you by sight, with some form of irrefutable
photo evidence being presented along with the key signature - a
passport, or something carrying equal weight.
There might be a possible exception where there is no individual person
to meet - the verification signature with software, say. When you have
downloaded the software from the same, known website for some time it
might be reasonable to sign the verification key - if a tad pointless if
it is only really a checksum. Perhaps the same applies to a Certificate
Authority key, say. But a signature of any person's key that you have
not met and positively verified is worse than useless as it degrades the
whole trust process. Someone who I had never previously even heard of
once signed my old, now revoked key - were that person someone "known"
to be nasty, it would have degraded my key's value. The best it could
have been is totally meaningless.
Regards,
Bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151001/2bc9ef65/attachment.sig>
More information about the Gnupg-users
mailing list