encryption - When is key signing necessary? -
if you've validated persons public key think verifying fingerprint in person/over phone, signing public key still necessary?
especially if plan on not decrypting messages yourself, plan on encrypting message valid public key, key signing still necessary?
i find useful sign key couple of reasons:
- to reassure me in future key hasn't changed.
- to key owner prove key others via web-of-trust.
on point 1), it's easy enough verify fingerprint now going every time send person encrypted mail or check signature? signing key means can forget fingerprint.
on point 2), owner of public key may appreciate signature on key convince others key belongs them. example if sign alice's key , bob has verified key, bob can choose trust alice's key virtue of signature.
in practice, believe proper etiquette sign alice's key export (gpg --export --armor <alice's key id>) , send alice in encrypted email. allows choose how use signature on key - might decide upload keyserver or send directly else. alternatively may decide not reveal association , never use signed key.
note: believe it's poor etiquette upload else's key keyserver deny them choice.
Comments
Post a Comment