BUG: Web of trust circumvention by secret key distribution

L. Sassaman rabbi at quickie.net
Thu Dec 7 12:08:59 CET 2000

Hash: SHA1

On Thu, 7 Dec 2000, Rodney Thayer wrote:

> no.  NAI PGP does that, and they end up with a user interface
> which causes you to treat all keys as "untrusted" unless you've
> signed them yourself.

That's not correct. PGP treats all keys as untrusted unless there is a
valid trust path to the key. That trust path can originate from a secret
key you possess on your key ring or from a third-party key you have
decided to trust.

There is nothing wrong with the system PGP uses. And, as Florian has
demonstrated, it is a lot safer than the current GnuPG system.

> Please, GPG's UI is nasty enough, let's not make it even harder to use.

User-interface issues are a related, but distinctly different, matter. I
am sure there is a way to make GnuPG behave safely and properly without
making it harder to use.

- --Len.


L. Sassaman

Security Architect             |  "The world's gone crazy,
Technology Consultant          |   and it makes no sense..."
http://sion.quickie.net        |                   --Sting

Comment: OpenPGP Encrypted Email Preferred.


More information about the Gnupg-devel mailing list