Obtaining sig2 and sig3 signatures

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue May 30 23:25:46 CEST 2017

On Tue 2017-05-30 21:25:24 +0200, Stefan Claas wrote:
> Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
> be enough for you to warrant a sig2? And for a sig3 an additional video
> conference?
> The classical procedure would be to sign a key with a sig3 after seeing
> the persons id-card in a real meeting. But who guarantees that the
> id-card is not fake (if the person is a complete stranger)?

I don't recommend that anyone make a sig1, sig2, or sig3 for any
third-party certification (sig3 is fine for self-signatures, where the
keyholder asserts their own identity).  

sig0 -- the default, generic certification -- is fine, does what people
need of it, and doesn't intentionally leak any more of the social graph
than it needs to.

In GnuPG, this is accessed via the "--ask-cert-level" flag.  I explain
my reasoning further in a blog post titled "gpg --ask-cert-level
considered harmful":


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170530/bf6e6d3c/attachment.sig>

More information about the Gnupg-users mailing list