How to get your first key signed

Andrew Gallagher andrewg at
Thu Oct 1 13:35:02 CEST 2015

On 01/10/15 11:35, Peter Lebbing wrote:
> Well, it doesn't help me at all to know that the developer of said
> software indeed has "David Niklas" on his passport. That gives me no
> more confidence in the integrity of the software than if he had a
> different name. All I need to know is that that piece of software that I
> previously trusted has had an update written by the guy or girl I trust,
> regardless of his or her name.[1]

Yes, trust in the intent, or competency, of a particular person is
completely different to verification of the identity of that person
(which is why I think PGP's use of the word "trust" in this context is
dangerously misleading).

> [1] If some really persistent threat was Man In The Middle all the time
> I downloaded the software and the key, they could replace the key all
> that time by their own. Then at some point, when I trust the wrong key,
> they could still do something nasty with the software. But this is a
> much higher bar than once MITM'ing and inserting nastiness.

And if you want to create a localsig on that basis, fire away. But
publicly certifying someone else's key is a statement of identity
verification, not trust.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151001/a39debaf/attachment.sig>

More information about the Gnupg-users mailing list