> You have an existing credential - a passport. > You then use that credential to verify another - a PGP key.
The passport isn't used to verify the OpenPGP key. The passport is used to verify *identity*. The key fingerprint is used to verify the OpenPGP key. A signature is a statement of "I believe this person is associated with this OpenPGP key." To do that, you have to first verify the person is who you think they are (the passport); you have to verify the key is what you think it is (the fingerprint); and then you make a statement about the two being associated. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users