If you've validated that a persons public key is actually from who you think it is by verifying the fingerprint in person/over the phone, is signing their public key still necessary?
Especially if you plan on not decrypting messages yourself, but only plan on encrypting a message with the valid public key, is key signing still necessary?
I find it useful to sign a key for a couple of reasons:
On point 1), it's easy enough to verify a fingerprint now but are you going to do this every time you send that person encrypted mail or check their signature? Signing the key means you can forget the fingerprint.
On point 2), the owner of the public key may appreciate your signature on their key to help convince others that their key belongs to them. For example if I sign Alice's key and Bob has verified my key, Bob can choose to trust Alice's key by virtue of my signature.
In practice, I believe the proper etiquette is to sign Alice's key then export it (
gpg --export --armor <alice's key id>
) and send it to Alice in an encrypted email. This allows her to choose how to use your signature on her key - she might decide to upload it to a keyserver or just send it directly to someone else. Alternatively she may decide not to reveal her association to you and never use the signed key.Note: I believe it's poor etiquette to upload someone else's key to a keyserver as you deny them that choice.