How to get your first key signed
jonas hedman
jonas.hedman at fripost.org
Thu Oct 1 20:48:25 CEST 2015
On 15-10-01 13:05:28, Robert J. Hansen wrote:
> > Whilst that is partially useful, surely it only vouches for the fact
> > that the postings came from the same person and not who that person is -
> > and as such is of very limited use.
>
> Yes. No. Somewhere in between.
>
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages. My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use. This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
>
> It took a few months for anyone to notice.
>
> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely. But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.
> Identity verification is a useful step: it's not a sufficient one by itself.
Doesn't all decent e-mail clients automagically check if a signature is
legit and matches the known public key?
/Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: </pipermail/attachments/20151001/c7e67830/attachment.sig>
More information about the Gnupg-users
mailing list