Digital Signing

[Voltage Spike]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday, September 25, 2002, at 04:11 PM, Randy Kaelber wrote:

> I'd mark it as untrusted and certainly wouldn't sign it
> until I met you face to face and verified your bona fides adequately.

Why shouldn't I mark all keys as trusted?  The majority of my 
interaction with the people on this list comes through the list itself. 
  You claim to be Randy Kaelber, and your words and mannerisms tell me 
who you are.  Thus, I increase my trust in you with every mail until I 
"Ultimately" agree that every message I got was from the same person.

If I wanted to send a message to "Randy Kaelber", why shouldn't I be 
reasonably sure that the guy who gets that message will be the one with 
whom I interact on the PLUG list?  To further make my point, I claim to 
be "Voltage Spike".  This claim cannot be verified by meeting in person 
or by examining a driver's license.  I have created a personality for 
myself online, and that personality should exist independent of the 
"meat space".

However, I don't sign keys because I never really understand when it 
was appropriate.  Under what circumstances would you be so confident 
that my key really belongs to "Voltage Spike" that it would warrant a 
signing?

PS: When I sign a key, do I have to publish the signed key somehow?  
With what command?  Is the keyserver able to merge the signings into 
the pre-existing key, or do signatures somehow "branch off" of the key 
as separate entities?

PPS: What is the "secret keyring"?  Is that simply another name for 
what is generally termed a private key (i.e. the secret keyring 
contains only my identities)?

- -- 
                                                            Voltage Spike
       ,,,
      (. .)
- --ooO-(_)-Ooo--

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)

iD8DBQE9k0aWpNoctRtUIRQRAr7KAJ9XKoHpMVTKIWBM5zTYO+xv0dfoYQCcDhw5
ZD52UBEwQNR522dNUDUxu6o=
=+RpY
-----END PGP SIGNATURE-----