> I'm not certain what problem you see that has not been around for as > long as PGP/GPG exists? You can only ever be certain of a signature if > you have personally verified the signing key and the signer's identity. > That's why the default owner trust level is "unknown" (not trusted).
About 25 years ago I first saw the suggestion that signatures from unvalidated certificates should simply not be visible to the end-user, as a signature from an unvalidated certificate is meaningless and the risk of people believing "oh, Frank (or whoever) signed this!" is so high. (A command of --list-all-sigs would need to be added, to force display of signatures from unvalidated certificates.) I've thought it was a good idea ever since I first saw it. I have always been in a distinct minority, though... _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
