On 01/10/15 10:33, Bob Henson wrote: > There might be a possible exception where there is no individual > person to meet - the verification signature with software, say. When > you have downloaded the software from the same, known website for > some time it might be reasonable to sign the verification key - if a > tad pointless if it is only really a checksum.
Well, it doesn't help me at all to know that the developer of said software indeed has "David Niklas" on his passport. That gives me no more confidence in the integrity of the software than if he had a different name. All I need to know is that that piece of software that I previously trusted has had an update written by the guy or girl I trust, regardless of his or her name.[1] I don't understand "it's only really a checksum". The key property is that it's signed by the same developer each and every time. A checksum has very different properties, but I might simply misunderstand you. > Someone who I had never previously even heard of once signed my old, > now revoked key - were that person someone "known" to be nasty, it > would have degraded my key's value. No, it should not degrade the key's value. Unfortunately the key's value is in the eye of the beholder, and that eye is often not fully aware of the lack of implications an untrusted signature has. An untrusted signature has precisely one implication: useless baggage. It neither increases nor decreases the value of the key it has signed. One of the people who's key I've signed at a keysigning party gained a signature by Adolph Hitler. Enter Godwin's Law. Anyway, he revoked the key. I can understand that. It just looks bad when someone uses the web interface of a keyserver to look up his key. But it doesn't degrade his key in any way other than what is a misperception. Only trusted keys matter. Untrusted keys can be wholly ignored. Even if they are from the Führer. > The best it could have been is totally meaningless. It /is/ totally meaningless. And we should educate users that it is meaningless. HTH, Peter. [1] If some really persistent threat was Man In The Middle all the time I downloaded the software and the key, they could replace the key all that time by their own. Then at some point, when I trust the wrong key, they could still do something nasty with the software. But this is a much higher bar than once MITM'ing and inserting nastiness. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users