Obtaining sig2 and sig3 signatures

Phil Pennock gnupg-users at spodhuis.org
Wed May 31 03:43:30 CEST 2017


On 2017-05-30 at 21:25 +0200, Stefan Claas wrote:
> Let's assume we would exchange signed emails (PGP/SMIME) would these proofs
> be enough for you to warrant a sig2? And for a sig3 an additional video
> conference?

No.  A public signature is an attestation to others of identity.  If
it's based on the same data visible to others, then it adds nothing.  If
there's really a strong case for such signatures to matter, then someone
running an auditable auto-signing bot-service using one PGP key, with
published rules and logs, _might_ be worthwhile.

Instead, those proofs might well be enough for me to make a
non-exportable signature for my local keyring (GnuPG --lsign-key).  I
have several local signatures, backed up locally, for stuff where I've
decided that a key not in the strong set is "probably good" based on a
balance of evidence such as you describe.

It's unfortunate really that the default is to make public attestations,
telling the world "trust me, this key belongs to this person" instead of
locally useful data and then, only once someone knows what they're
doing, offering them the option to act as a Notary Public
(German "Nurnotar" ?) if they so choose.

-Phil



More information about the Gnupg-users mailing list