How to get your first key signed

Peter Lebbing peter at digitalbrains.com
Thu Oct 1 12:35:09 CEST 2015 

On 01/10/15 10:33, Bob Henson wrote:
> There might be a possible exception where there is no individual
> person to meet - the verification signature with software, say. When
> you have downloaded the software from the same, known website for
> some time it might be reasonable to sign the verification key - if a
> tad pointless if it is only really a checksum.

Well, it doesn't help me at all to know that the developer of said
software indeed has "David Niklas" on his passport. That gives me no
more confidence in the integrity of the software than if he had a
different name. All I need to know is that that piece of software that I
previously trusted has had an update written by the guy or girl I trust,
regardless of his or her name.[1]

I don't understand "it's only really a checksum". The key property is
that it's signed by the same developer each and every time. A checksum
has very different properties, but I might simply misunderstand you.

> Someone who I had never previously even heard of once signed my old,
> now revoked key - were that person someone "known" to be nasty, it
> would have degraded my key's value.

No, it should not degrade the key's value. Unfortunately the key's value
is in the eye of the beholder, and that eye is often not fully aware of
the lack of implications an untrusted signature has. An untrusted
signature has precisely one implication: useless baggage. It neither
increases nor decreases the value of the key it has signed.

One of the people who's key I've signed at a keysigning party gained a
signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
key. I can understand that. It just looks bad when someone uses the web
interface of a keyserver to look up his key. But it doesn't degrade his
key in any way other than what is a misperception. Only trusted keys
matter. Untrusted keys can be wholly ignored. Even if they are from the
Führer.

> The best it could have been is totally meaningless.

It /is/ totally meaningless. And we should educate users that it is
meaningless.

HTH,

Peter.

[1] If some really persistent threat was Man In The Middle all the time
I downloaded the software and the key, they could replace the key all
that time by their own. Then at some point, when I trust the wrong key,
they could still do something nasty with the software. But this is a
much higher bar than once MITM'ing and inserting nastiness.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list