Enigmail Forum

[barry]

I'm not sure if this is really off topic or not! I guess as it only relates to OpenPGP keys it's not strictly an Enigmail function, so I thought I'd raise it here.

How many of you have taken the time out to get your keys signed by other people at a key signing party or similar?

I've only got one signature on my keyring from a meeting with a "stranger", but I'm not sure that it has affected the way people view a signed mail from me.

How much checking do you do of signed mail you receive from somebody? As the mail is signed do you tend to trust it more, or do you check the key for signatures and trust levels?

[olav]

How many of you have taken the time out to get your keys signed by other people at a key signing party or similar?

I did, do and will do in the future.

I've only got one signature on my keyring from a meeting with a "stranger", but I'm not sure that it has affected the way people view a signed mail from me.

You have to meet the right people and make them sign your key ... Yesterday I met Phil Zimmerman in person and handed him my calling card containing my fingerprint but I am not sure wether he has time to sign all the keys people ask him to sign. Anyway - he would not give me his card but asked me to get his key from his website ... so I guess real life might be different than the theory.

How much checking do you do of signed mail you receive from somebody?

Personally, I only sign keys non-locally if

1. normal case (business contacts)
   
   • personally checked an official identity document and
   • I received the fingerprint in person or
2. exceptional case (relateves, close friends)
   
   • I know that person very well for a long time and
   • received the fingerprint out of band (not by email but e.g. on the phone).

As the mail is signed do you tend to trust it more, or do you check the key for signatures and trust levels?

I do maintain trust levels according to my knowledge about the key owner's knowledge about key signing and his dedication to properly verify other peoples identity before signing their key.

In private everyday conversation the calculated trust level doesn't really make a difference for me since I usually don't need that high trust level when receiving messages.

But when I have to send confidential documents electronically, I think that it is important to verify that a key really belongs to the receipient. And when receiving important messages or documents that I have to rely or react on, knowing exactly that they were signed by exactly that person (not a key that carries an ID of that person) does make a big difference for me.

[shane]

I do sign keys locally once I know someone. I don't really pay that much attention to key signing otherwise. It's not really a factor in my email, simply because I don't use encryption and signing widely. Most people I need to talk to don't use OpenPGP. It's still a little too complex for them, or they don't understand why it's important.

[sfringer]

As I don't "get out" often, I've not had my key signed by many folks. For the most part this doesn't affect me - as I do not currently use encrypted communications for anything much more than the "gee whiz" ability to do it.

That said, I do take the time to try and verify the fingerprint of a key of any individual I expect to be communicating with regularly. Of course, with the Internet connecting so many of us together, physically meeting many of my contacts is outof the question - but there are many out-of-band methods availble. (Though I'll be honest and admit I do use email frequently)

I'm pretty sure if my work requirements were to begin to use encryption seriously (amazing for a hospital needing to following the HIPAA guidelines that they don't) I'd take a much more firm stand on verification and validation.

[Adam]

I would like to do a bit more key-signing than I do at the moment, but the majority of my contacts that I send encrypted/signed communications to aren't people I'd normally meet - geographical location being the major factor. I have signed a few keys of people I know to be exactly who their email says they are, but I mainly rely on setting key trust levels simply for information at my end.

[shane]

I just wanted to add a link. There is a website that help you coordinate key signing "parties" or meetings at http://www.biglumber.com/.

[jmoore3rd]

I do pay attention to the Signatures present on Keys from other folks. Primarily, I am more interested in 'Trust' Signatures than I am the most common 'Exportable' Sig. Because the whole WoT concept is probably the least understood aspect of PK Encryption I see a huge number of 'Exportable' Sigs on Keys issued by individuals that when challenged I learn are baseless/useless.

A favorite pastime of mine for 'messing' with folks is to ask them how much they know/trust someone whenever I see that they have signed another's Key. Since GnuPG supports up to 4 trust-model's I fear than most are "not on the same page" in comprehending assigned Trust.

The PGP GUI supports trust Signing via "trusted introducer" [Black Pencil] signatures; I would like to see Enigmail eventually support the issuing of 'tsign' Sigs within it's Key Management Interface.