@elmussol+545Part of enjoying an open Web is being able to determine and fully control your privacy options when you need to. So I'm resharing this for Open Web.
♲ Paul Taylor
GPG -- what I do
We've had a lot of discussion about #GPG
over the last few days and the first thing I want to say is "Don't sign anything until you've read this". The second thing to say is that these are my thoughts on how GPG works for me, this is not the official 'line'.
It's all about trust and build a web of that trust. But I think we have to be really careful about what we mean about the word trust here. Is it "I trust $person with my kids, to water my plants, look after my vinyl collection &/or my personal data", or it "I trust $person is who they say they are". Sorry for the leading question, but I think it needs stating.
So I have no GPG data on Thomas who runs #KakSte
for example, but I trust him with my data. There are others who I have had extensive, wide-ranging and meaningful conversations with and won't sign their GPG keys. Why?
Whenever I get new GPG information from someone I try and verify that information. There are keyservers that you can reference. GPG keys are tied to email addresses, I often send a signed email and ask for a signed reply. I can check their #friendica
profile. When this all checks out to my satisfaction, I raise my trust level of that key to marginal and say I trust their signature on other keys. I then publish that to my keyserver.
Now to get a key signed by me, I preferably meet you in person and I see some ID and some proof that the key is yours. The only non face-to-face key signings I've done have been with new keys for old contacts. A telephone call where we share only stuff we would know has worked for me.
I may be more hardcore than many on this, but me signing your key means that I trust 100% that you are who you say you are and you have control of that key. It does not mean that I trust you with my record collection.