Subj : Re: PGP question To : alterego From : Warpslide Date : Tue Jun 09 2020 07:36 am On 09 Jun 2020, alterego said the following... al> So the only value of cross-signing keys is to increase trust (of the al> public key). IE: If Alice and Bill signed Cindy's key, and I receive al> something from Cindy it must be Cindy (not somebody protending to bre al> Cindy) becase I know Alice and Bill and trust them... Exactly, cross-signing is only for increasing the trust level for that key. When I was playing around with PGP many years ago there was this web-of-trust thing still happening. (It might still be?) I met a couple of people in a downtown coffee shop & we all showed each other our drivers licenses (this was before smartphones, so there was no risk of them taking a picture of the ID), we had a coffee and a few hours later I got an email saying they had signed my key, and I signed theirs. I don't know that really made it any more "trustworthy". Now-a-days you can publish your public key in DNS, and if you happen to have DNSSEC enabled you can trust the response hasn't been tampered with. e.g: If there was a PGP public key published as a TXT record at: alterego._pka.alterant.leenook.net And it contained "v=pka1;fpr=;uri=https://alterant.leenook.net/alterego.pub.txt" Assuming the DNS answer was signed with DNSSEC and the URI pointed to an https site, I would trust that key just as much as of it were signed by 300 random strangers. al> (But Cindy also needs to give you her cross signed public key by Alice al> and Bill right?) Exactly, each time your key is signed, it would need to be re-published. Jay --- Mystic BBS v1.12 A45 2020/02/18 (Windows/32) * Origin: Northern Realms BBS | bbs.nrbbs.net | Binbrook, ON (21:3/110) .