How to get your first key signed

Bob Henson bob.henson at galen.org.uk
Thu Oct 1 13:08:18 CEST 2015 

On 01/10/2015 11:35 am, Peter Lebbing wrote:
> On 01/10/15 10:33, Bob Henson wrote:
>> There might be a possible exception where there is no individual
>> person to meet - the verification signature with software, say. When
>> you have downloaded the software from the same, known website for
>> some time it might be reasonable to sign the verification key - if a
>> tad pointless if it is only really a checksum.
> 
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

That's what I was implying when I described it as a possible exception.


> I don't understand "it's only really a checksum". The key property is
> that it's signed by the same developer each and every time. A checksum
> has very different properties, but I might simply misunderstand you.

If the program has been altered the signature will fail, will it not?

> 
>> Someone who I had never previously even heard of once signed my old,
>> now revoked key - were that person someone "known" to be nasty, it
>> would have degraded my key's value.
> 
> No, it should not degrade the key's value. Unfortunately the key's value
> is in the eye of the beholder, and that eye is often not fully aware of
> the lack of implications an untrusted signature has. An untrusted
> signature has precisely one implication: useless baggage. It neither
> increases nor decreases the value of the key it has signed.
> 
> One of the people who's key I've signed at a keysigning party gained a
> signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the
> key. I can understand that. It just looks bad when someone uses the web
> interface of a keyserver to look up his key. But it doesn't degrade his
> key in any way other than what is a misperception. Only trusted keys
> matter. Untrusted keys can be wholly ignored. Even if they are from the
> Führer.
> 
>> The best it could have been is totally meaningless.
> 
> It /is/ totally meaningless. And we should educate users that it is
> meaningless.

Agreed. But a new user who has yet to be educated would baulk at
trusting a key signed by Genghis Khan or Atilla the Hun - however they
perceived it, they might well refuse to acknowledge the signature as
valid and would certainly not sign it or assign it user trust - that's
human nature. Human beings are essentially illogical. :-)

More information about the Gnupg-users mailing list