Houston, we have a problem

Ralph Seichter m16+gnupg at monksofcool.net
Thu Sep 21 22:38:06 CEST 2017


On 21.09.17 22:11, Stefan Claas wrote:

> > You can only ever be certain of a signature if you have personally
> > verified the signing key and the signer's identity.
>
> Well, call me a stupid Mac dummie, but how in the world could GnuPG
> users , living in different areas verify that?

They can't. That's one of the reasons the "web of trust" is a tricky
concept. Among all of the people I know to use PGP, I trust only two to
verify both key fingerprints and identities as thoroughly as I do. That
means I usually have to jump through hoops to verify stuff myself, and
that only works for people I have personally met (and checked their
Personalausweis or what have you). My web of trust is almost non-existent.
Yours might be extensive. It all depends on what you verify yourself and
who else you trust to verify. As Robert wrote, you seem to keep rehashing
the same issue, and an old one at that.

> https://pgp.governikus-eid.de/pgp/

You mean there are people who actually use Online-PA, and trust the BSI
on top of that? You're kidding, right? ;-) I neither care nor trust what
Governikus signs. I've been providing IT security services for decades,
and find it extremely hard to trust others in this field, based on my
own experience.

-Ralph




More information about the Gnupg-users mailing list