On 01/10/15 11:35, Peter Lebbing wrote: > > Well, it doesn't help me at all to know that the developer of said > software indeed has "David Niklas" on his passport. That gives me no > more confidence in the integrity of the software than if he had a > different name. All I need to know is that that piece of software that I > previously trusted has had an update written by the guy or girl I trust, > regardless of his or her name.[1]
Yes, trust in the intent, or competency, of a particular person is completely different to verification of the identity of that person (which is why I think PGP's use of the word "trust" in this context is dangerously misleading). > [1] If some really persistent threat was Man In The Middle all the time > I downloaded the software and the key, they could replace the key all > that time by their own. Then at some point, when I trust the wrong key, > they could still do something nasty with the software. But this is a > much higher bar than once MITM'ing and inserting nastiness. And if you want to create a localsig on that basis, fire away. But publicly certifying someone else's key is a statement of identity verification, not trust. A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
