How to get your first key signed

Guan Xin guanx.bac at
Fri Oct 2 11:50:22 CEST 2015

On Fri, Oct 2, 2015 at 7:01 AM, Anthony Papillion
<anthony at> wrote:
> Sorry to just jump in here but I've been following the conversation
> and this caught my eye. While checking the email address associated
> with a key might not /always/ be useful (like in the case of IM, fax,
> etc), it /can/ help provide 'evidence' that a key might have been
> compromised. If I receive an email from an email address that is
> different from that on the key, the very first thing I would do is
> email the key holder at their known address and ask what's up. It
> could very well be a case where the key has been compromised but the
> email address hasn't and the key holder doesn't know.

While the key is used to certify the email / IM name / website, etc.
and not the other way round, it is certainly helpful to check both.
So you are right.
However, note that an email inbox can be hijacked as well as a regular mailbox.

... After some thoughts, I found that for all the contact methods
(various email addresses, IMs, websites) where I use my key, I had
identified myself
by person to my frequent contacts before.
So the signatures really mean that "this email / IM account has not
been compromised",
and not that "this key is probably compromised".


More information about the Gnupg-users mailing list