On 18/10/13 11:37, Peter Lebbing wrote: > The moral: I think it is a really bad idea to sign keys because you trust > already made signatures. That's what your trust database is for, use that. You > should sign keys because you verified the identity *outside* the Web of Trust.
However, here an interesting dichotomy surfaces: the scenario the OP painted was that the HR person or notary did not use OpenPGP or key signatures, but that you still rely on the identity verification done by the HR person. This would thus constitute identity verification outside the Web of Trust, and I suppose I would find that acceptable. Although I'm a bit unclear on how this "virtual keysigning party" would in practice be held: how does the notary state he trusts the identity? Where does the fingerprint of the key come in to play? You are asserting that a certain person holds a certain key, the key has to be part of the verification. But the notary wasn't using OpenPGP. The dichotomy is thus: if the notary does not sign keys, I would be okay with people signing keys based on the notary's verification efforts. But if that same notary did everything he or she did before *and* did something extra, namely signing keys, suddenly I'm not okay with people signing keys based on the notary's verification efforts. That's odd. But the dichotomy doesn't change my position on this. Perhaps a clear answer to how the key fingerprint comes into play would take away the oddity, because perhaps then suddenly there /is/ a verification effort by the people signing the key: that the key belongs to the owner. That the owner is who they say they are, is then left to the notary. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
