1. 2
  1.  

  2. 2

    I really don’t understand what point this article is trying to make. You never need to publish a key signature to communicate with PGP if you’d rather not. Key signing is an intentionally public act related to Web of Trust. So… what’s the big deal? A key signature proves nothing except that the holder of one key is willing to vouch for another key. Actual personal connections, business dealings, face to face meetings, etc might be presumed, but it’s not proof. I can’t imagine anyone is signing keys without realizing that they will be public.

    Far more interesting, IMO, is the fact that PGP messages by default contain unencrypted metadata identifying the intended recipients: https://twitter.com/ioerror/status/352253686283649024.