On Thu, Oct 01, 2015 at 09:33:59AM +0100, Bob Henson wrote: > On 30/09/2015 8:58 pm, Robert J. Hansen wrote: > >> I create for myself a gpg key and want to get it signed > > > > More important than whether your certificate gets signed is who signs > > the certificate, who they are connected to, and so on. > > > > Some people will sign almost anything. People who get a reputation for > > signing anything develop a reputation for their signatures being > > meaningless. Some people have very strong requirements before they'll > > sign. Their signatures are often worth quite a lot of credibility, but > > good luck getting them. > > > > The good news is this *can be done*. I promise. > > > > The best thing you can do right now is to get involved in the community. > > Get engaged in the mailing lists (here, PGP-Basics, Enigmail-Users are > > three good ones). And when you post, sign your messages. Over time > > people will come to trust that your signature connects to the real you, > > even if they can't promise that your name really is David Niklas, or > > can't say what you look like. > > > > Whilst that is partially useful, surely it only vouches for the fact > that the postings came from the same person and not who that person is - > and as such is of very limited use. I have a "newsgroup" key for that > purpose - but it is a tad pointless. I think I know the person who calls > himself Robert J. Hansen and you have certainly corresponded with > someone called Robert H. Henson, but we have no idea who those people > are unless we meet. Keys should only ever be signed in person and if the > person is not well known to you by sight, with some form of irrefutable > photo evidence being presented along with the key signature - a > passport, or something carrying equal weight.
There are two issues here. One is what the O.P. asked: how to get useful signatures which bind a key to a specific physical-world person. Face-to-face meetings, photo ID, etc. are all part of that. But the other is binding a key to a reputation. And that can be done at arms' length, simply by doing stuff in public and signing the stuff with your perhaps-unsigned key. If I've examined, tested, and used stuff bound to key X, and learned to trust it, then when I meet some other stuff bound to key X it is not unreasonable to trust it more readily since, by means of key X, it is bound to stuff that I already trust. > There might be a possible exception where there is no individual person > to meet - the verification signature with software, say. When you have > downloaded the software from the same, known website for some time it > might be reasonable to sign the verification key - if a tad pointless if > it is only really a checksum. Perhaps the same applies to a Certificate > Authority key, say. But a signature of any person's key that you have > not met and positively verified is worse than useless as it degrades the > whole trust process. Someone who I had never previously even heard of > once signed my old, now revoked key - were that person someone "known" > to be nasty, it would have degraded my key's value. The best it could > have been is totally meaningless. To put my point more plainly: signatures on products and signatures on keys mean different things, and to gain trust for them works in different ways. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu
signature.asc
Description: Digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users