On 2017-05-30 at 21:25 +0200, Stefan Claas wrote: > Let's assume we would exchange signed emails (PGP/SMIME) would these proofs > be enough for you to warrant a sig2? And for a sig3 an additional video > conference?
No. A public signature is an attestation to others of identity. If it's based on the same data visible to others, then it adds nothing. If there's really a strong case for such signatures to matter, then someone running an auditable auto-signing bot-service using one PGP key, with published rules and logs, _might_ be worthwhile. Instead, those proofs might well be enough for me to make a non-exportable signature for my local keyring (GnuPG --lsign-key). I have several local signatures, backed up locally, for stuff where I've decided that a key not in the strong set is "probably good" based on a balance of evidence such as you describe. It's unfortunate really that the default is to make public attestations, telling the world "trust me, this key belongs to this person" instead of locally useful data and then, only once someone knows what they're doing, offering them the option to act as a Notary Public (German "Nurnotar" ?) if they so choose. -Phil _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
