On 21.09.17 22:11, Stefan Claas wrote: > > You can only ever be certain of a signature if you have personally > > verified the signing key and the signer's identity. > > Well, call me a stupid Mac dummie, but how in the world could GnuPG > users , living in different areas verify that?
They can't. That's one of the reasons the "web of trust" is a tricky concept. Among all of the people I know to use PGP, I trust only two to verify both key fingerprints and identities as thoroughly as I do. That means I usually have to jump through hoops to verify stuff myself, and that only works for people I have personally met (and checked their Personalausweis or what have you). My web of trust is almost non-existent. Yours might be extensive. It all depends on what you verify yourself and who else you trust to verify. As Robert wrote, you seem to keep rehashing the same issue, and an old one at that. > https://pgp.governikus-eid.de/pgp/ You mean there are people who actually use Online-PA, and trust the BSI on top of that? You're kidding, right? ;-) I neither care nor trust what Governikus signs. I've been providing IT security services for decades, and find it extremely hard to trust others in this field, based on my own experience. -Ralph _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
