When is key signing necessary?

159 views Asked by At

If you've validated that a persons public key is actually from who you think it is by verifying the fingerprint in person/over the phone, is signing their public key still necessary?

Especially if you plan on not decrypting messages yourself, but only plan on encrypting a message with the valid public key, is key signing still necessary?

3

There are 3 answers

0
Paul M Furley On BEST ANSWER

I find it useful to sign a key for a couple of reasons:

  1. To reassure me in the future that the key hasn't changed.
  2. To help the key owner prove their key to others via the web-of-trust.

On point 1), it's easy enough to verify a fingerprint now but are you going to do this every time you send that person encrypted mail or check their signature? Signing the key means you can forget the fingerprint.

On point 2), the owner of the public key may appreciate your signature on their key to help convince others that their key belongs to them. For example if I sign Alice's key and Bob has verified my key, Bob can choose to trust Alice's key by virtue of my signature.

In practice, I believe the proper etiquette is to sign Alice's key then export it (gpg --export --armor <alice's key id>) and send it to Alice in an encrypted email. This allows her to choose how to use your signature on her key - she might decide to upload it to a keyserver or just send it directly to someone else. Alternatively she may decide not to reveal her association to you and never use the signed key.

Note: I believe it's poor etiquette to upload someone else's key to a keyserver as you deny them that choice.

0
Jerome Anthony On

If you can verify the person owning the public key you don't have to worry about signing. The ability to verify the public key is from whom you trust it to be is the important thing. In saying this, if you are getting the public from some public key server, then how will you be able to trust its from the user you think it is from? In such a case the signing is a valid consideration.

Following are some useful links related to this.

Hope this helps.

0
guidot On

Your decrypting is done with YOUR private key.

Not signing the (public) key of somebody else, will possibly issue ugly warnings, show nasty icons in your public key list, and not help in any way to manifest your checking process for somebody else, i. e. build the web of trust. So it is more a question of style than a technical difference.