How to get your first key signed

jonas hedman jonas.hedman at
Thu Oct 1 20:48:25 CEST 2015

On 15-10-01 13:05:28, Robert J. Hansen wrote:
> > Whilst that is partially useful, surely it only vouches for the fact
> > that the postings came from the same person and not who that person is -
> > and as such is of very limited use.
> Yes.  No.  Somewhere in between.
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
> It took a few months for anyone to notice.
> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.
> Identity verification is a useful step: it's not a sufficient one by itself.

Doesn't all decent e-mail clients automagically check if a signature is
legit and matches the known public key?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20151001/c7e67830/attachment.sig>

More information about the Gnupg-users mailing list