On Wed, May 09, 2012 at 01:32:12PM +0200, Ralf Mardorf wrote: > When the subject was "gpg/pgp noise" Jon Dowland wrote: "I clearly > explained that his key was signed by another he owned, which in turn was > signed by *someone else entirely*." > > A chain of unsigned keys for one and the same person, with one key at > the end of this chain, that is signed by one person only or even enough > persons signing it, is useless. This isn't the correct way to sign a > key, since it's not secure and not handy.
I didn't check beyond the other person: if they have sigs on their key, then it's feasible Mika is joined to a/the web of trust. Rather than try to manually construct such a path, I fed Mikka's key into pathfinder web sites, but his key is not widespread enough, and the ones I tried didn't know about him. I did not rule him out of the web of trust, nor prove him in. > OTOH, when do you really need signing? More likely is that you will > encrypt mails, e.g. to ensure that if you write to a family with young > children, using the same computer, only the parents can read mails with > contents that aren't good for children. In such a case it's not needed > to ensure that the key is trusted. It's only important that the parents > know how to decrypt and the children don't know it. This anyway prevents > against manipulating the mails content, without signing. IME I've signed many mails and verified many signed mails and very rarely encrypted messages. In fact the only times I have encrypted or decrypted mail was when sending signatures of someone's key to themselves. I suppose different people have different use-cases. -- Jon Dowland -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120509180958.GF8272@debian