How to get your first key signed

[Mark H. Wood]

On Thu, Oct 01, 2015 at 09:33:59AM +0100, Bob Henson wrote:
> On 30/09/2015 8:58 pm, Robert J. Hansen wrote:
> >> I create for myself a gpg key and want to get it signed
> > 
> > More important than whether your certificate gets signed is who signs
> > the certificate, who they are connected to, and so on.
> > 
> > Some people will sign almost anything.  People who get a reputation for
> > signing anything develop a reputation for their signatures being
> > meaningless.  Some people have very strong requirements before they'll
> > sign.  Their signatures are often worth quite a lot of credibility, but
> > good luck getting them.
> > 
> > The good news is this *can be done*.  I promise.
> > 
> > The best thing you can do right now is to get involved in the community.
> >  Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are
> > three good ones).  And when you post, sign your messages.  Over time
> > people will come to trust that your signature connects to the real you,
> > even if they can't promise that your name really is David Niklas, or
> > can't say what you look like.
> > 
> 
> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use. I have a "newsgroup" key for that
> purpose - but it is a tad pointless. I think I know the person who calls
> himself Robert J. Hansen and you have certainly corresponded with
> someone called Robert H. Henson, but we have no idea who those people
> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

There are two issues here.  One is what the O.P. asked:  how to get
useful signatures which bind a key to a specific physical-world
person.  Face-to-face meetings, photo ID, etc. are all part of that.

But the other is binding a key to a reputation.  And that can be done
at arms' length, simply by doing stuff in public and signing the stuff
with your perhaps-unsigned key.  If I've examined, tested, and used
stuff bound to key X, and learned to trust it, then when I meet some
other stuff bound to key X it is not unreasonable to trust it more
readily since, by means of key X, it is bound to stuff that I already
trust.

> There might be a possible exception where there is no individual person
> to meet - the verification signature with software, say. When you have
> downloaded the software from the same, known website for some time it
> might be reasonable to sign the verification key - if a tad pointless if
> it is only really a checksum. Perhaps the same applies to a Certificate
> Authority key, say. But a signature of any person's key that you have
> not met and positively verified is worse than useless as it degrades the
> whole trust process. Someone who I had never previously even heard of
> once signed my old, now revoked key - were that person someone "known"
> to be nasty, it would have degraded my key's value. The best it could
> have been is totally meaningless.

To put my point more plainly:  signatures on products and signatures
on keys mean different things, and to gain trust for them works in
different ways.

-- 
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: </pipermail/attachments/20151001/36a8545a/attachment-0001.sig>