How to get your first key signed

Antony Prince antony at blazrsoft.com
Sun Oct 4 16:21:18 CEST 2015


On 10/02/2015 06:55 PM, Faramir wrote:
> ...
>   Well, you don't really need your key signed for that... at least,
> not the key with your name on it. You can make a key using the name
> "mysoftwarename distribution key", and use it to sign the files. Once
> people start using the software, they may sign the key. They don't
> know who is behind the key, but they will know it is the same key that
> has been using since day 1.
> 

I agree with this sentiment. I have locally signed Niibe's and Werner's
distribution keys, meaning the signatures are not exportable. I have not
verified their identities, but the fingerprints match those on their
website and listed in the announcement e-mails about the software. I
would not be able to definitively say that those keys belong to a person
named Werner Koch or Niibe Yutaka, but they do belong to the people
claiming to have those names and consistently releasing software under
those names. Since the keys do not change with every release, it is
reasonable to assert that it is the same people/person every time. Point
is, you don't need to have your identity verified for people to trust
your key. All my keys are self-signed. I revoked the original key I
created and created this one. I signed this key with the old one before
revoking it. Therefore, you could roughly assume that I am the person
who controlled the secret material to the previous key with this UID,
since this key is signed by that one as well. My name may or may not
really be "Antony Prince", but the keys created with that UID are
chained together by their signatures. I could go even further and make a
short web page listing the previous and current fingerprints and why I
revoked the previous key (called a "transition statement", IIRC) and
even sign that message. I have not done this because my identity as far
as my gpg key goes is not under that much scrutiny or of that much
importance to anyone that I'd need to go to those lengths.

-- 

Antony Prince

Key ID: 0xAF3D4087301B1B19
Fingerprint: 591F F17F 7A4A A8D0 F659  C482 AF3D 4087 301B 1B19
URL:
http://keyserver.blazrsoft.com/pks/lookup?op=get&search=0xAF3D4087301B1B19

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20151004/c297a940/attachment.sig>


More information about the Gnupg-users mailing list