[Deutsche Version]

The meaning of a PGP/GnuPG key certificate

The meaning of a PGP key certificate is actually not absolutely defined. There are different interpretations of such a signature. For example:

1. I confirm, that the signed key belongs to the person mentioned in the UserID-field.
   This statement is not very precise. Often the name mentioned in the UserID (like Joe Smith) can belong to multiple persons.
2. I confirm, that the person with the name mentioned in the UserID field told me, that this key belongs to him.
   This statement can be done, if Joe Smith shows his picture ID and says: Here are my key properties. Please sign my key.
3. I confirm, that his key belong to a person with the name mentioned in the UserID field. This statement can be done, if Joe Smith:
   • shows his picture ID.
   • gives you his key properties.
   • proves that he can decrypt a message encrypted with this public key.
   By decrypting the encrypted message, Joe Smith proves, that he has access to the secret key which belongs to the given public key.

Even if there was the possibility to show the intended meaning of a key certificate, there are still open questions:

1. What kind of ID was used by Joe Smith to prove his identity?
2. How sure can you be about the correctness of his ID?
3. How sure can you be, that the ID really belongs to the person showing you this ID?
4. How sure can you be, that the secret key has not been stolen?

Some of the questions have to be posed on every person identification....

If you think about such questions, think about the meaning of a signature on a piece of paper...

This all leads to the important trust-setting in the web of trust. See also the explanation of the web of trust.