Houston, we have a problem
Robert J. Hansen
rjh at sixdemonbag.org
Thu Sep 21 16:55:26 CEST 2017
> Question for the experts, how can a casual or new GnuPG user, like Alice
> and Bob, detect a Signature forgery on a pub key, when using Web based
> key servers?
By remembering that anyone can create a key claiming to be anyone, and
that seeing a signature allegedly from Werner (or anyone) means
absolutely nothing until and unless you've verified the signing
certificate actually belongs to him.
Key validation -- ensuring a key really belongs to who it says -- is an
important step. It cannot be skipped. It is not optional.
More information about the Gnupg-users
mailing list