How to get your first key signed

[Guan Xin]

On Thu, Oct 1, 2015 at 7:05 PM, Robert J. Hansen <rjh at sixdemonbag.org> wrote:
>
> Some years ago a user on PGP-Basics was irate over how I refused to sign
> my messages.  My argument was basically the one you were using: that
> nobody on the list had verified my identity and that made my signatures
> of marginal use.  This fellow insisted, and insisted rudely, so John
> Clizbe, John W. Moore, and I all conspired together to make a point: we
> created a keypair, shared it amongst us, and all three of us used the
> exact same certificate to sign our emails.
>
> It took a few months for anyone to notice.

So you three will share the same reputation on the mailing list.
If at least one of you commit crimes with your signed messages,
you will share the same legal liability unless proved not guilty
by other means, e.g. your private key was stolen or was derived
from your public key by the others, and etc..

I don't think that's a problem because it doesn't cause any confusion
neither online nor offline.


> So sure, yes, without identity verification it's hard to have confidence
> in someone's legal identity, absolutely.  But even with identity
> verification, most people don't even bother to check to see that the
> signing certificate's email address matches the one on the email.

It's sad to hear that anyone takes it seriously to check that
a certificate's email address matches the originating mail address.
This really messes things up in the sense that it causes
additional inconvenience with little benefit.

I sign my files with exactly the same key no matter if they were sent
from my private email, business email, with IM tools, via http or fax.
In the last three cases there is no originating email address to check.

Of course I can use different keys, but what's the point?
More keys, more smart cards, more easily lost or forgotten,
more difficult to recognize by eye from their fingerprints ...

Guan