On 21.09.17 21:38, Stefan Claas wrote: > The thing is someone could issue a fake sig3 from Heise's CA key to > someone else's pub key, without that that customers would detect it, > nor Heise would know it, until of course they would see the keys in > question.
I'm not certain what problem you see that has not been around for as long as PGP/GPG exists? You can only ever be certain of a signature if you have personally verified the signing key and the signer's identity. That's why the default owner trust level is "unknown" (not trusted). -Ralph _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users