How to get your first key signed

Robert J. Hansen rjh at
Thu Oct 1 19:05:28 CEST 2015

> Whilst that is partially useful, surely it only vouches for the fact
> that the postings came from the same person and not who that person is -
> and as such is of very limited use.

Yes.  No.  Somewhere in between.

Some years ago a user on PGP-Basics was irate over how I refused to sign
my messages.  My argument was basically the one you were using: that
nobody on the list had verified my identity and that made my signatures
of marginal use.  This fellow insisted, and insisted rudely, so John
Clizbe, John W. Moore, and I all conspired together to make a point: we
created a keypair, shared it amongst us, and all three of us used the
exact same certificate to sign our emails.

It took a few months for anyone to notice.

So sure, yes, without identity verification it's hard to have confidence
in someone's legal identity, absolutely.  But even with identity
verification, most people don't even bother to check to see that the
signing certificate's email address matches the one on the email.
Identity verification is a useful step: it's not a sufficient one by itself.

> purpose - but it is a tad pointless.

Pointless in the sense of *legal* identity.  But there are many
identities other than the legal.

One of my favorite books, _Shibumi_, was written by an author named
Trevanian.  Trevanian was infamously private and withdrawn: there are
only a few interviews with him and they were all conducted via letter or
email.  Trevanian wrote books, had some amazing ideas and insights, and
was even responsible for a great Clint Eastwood movie (_The Eiger
Sanction_).  Trevanian was a real identity, as real as you could hope for.

And then there was Rodney William Whitaker, a professor at a small
American university who never amounted to very much.  Except that,
unbeknownst to the world at large, he was Trevanian.

So let's imagine, for sake of argument, that Trevanian had an OpenPGP
certificate which he used to sign all of his books, plays, and
screenplays, so that people could be confident they were reading an
authentic Trevanian work.  If I just read _The Eiger Sanction_, okay,
fine, that signature has little merit for me.  But then would come
_Shibumi_ and _The Summer of Katya_ and by the time _The Crazyladies of
Pearl Street_ came out I could be confident that if I saw Trevanian's
signature on an ebook, that ebook would be worth my hard-earned money.

Trevanian is an identity every bit as real as Rodney William Whitaker.
Trevanian can amass reputation, engage in interviews and communication,
opine on things, have fans and foes, the whole nine yards.  The only
thing Trevanian can't do is get a driver's license, because Trevanian
isn't a *legal* identity.

> are unless we meet. Keys should only ever be signed in person and if the
> person is not well known to you by sight, with some form of irrefutable
> photo evidence being presented along with the key signature - a
> passport, or something carrying equal weight.

No.  Absolutely not.  This is flat wrong.

You don't get to control what somebody else's signing policy is.  They
get to decide that on their own.  Neither you nor I nor anyone else gets
a vote in it.  We don't get to say what they should or should not do.

I have determined what *my own* signing policy is, and yes, it depends
on face to face meetings and identity documents.  That's because it
makes sense for my needs to do this.  But other people will have
different needs, and I've got no business telling them what their
signing policy should be.  Neither do you.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1016 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151001/3aa01c09/attachment.sig>

More information about the Gnupg-users mailing list