min-cert-level and lsigs

Nicholas Cole npcole at yahoo.co.uk
Wed Feb 9 10:21:33 CET 2005


> I'm rather sour on this whole 0x11 situation, and
> regret opening the
> door by adding the ability to make them in the first
> place.
> What do you think?

Other than that the web of trust is broken (in part)
because it tries to incorporate both human-readable
data (about which subjective judgements should be
made) and machine readable rules? That it would have
been much nicer if at some point early on gpg/pgp had
started asking "What checks did you make before
signing this key?" and putting the user comments in a
packet on the signature...  Oh well. :-)

I think that signatures made by ultimately trusted
keys should always be accepted. I think the message
"if you have signed a key with one of your own keys it
will always be trusted. Everything else is extra." Is
an easy one for users to understand.  

As you say, it is useful to have a note to yourself
about the circumstances in which you signed a key. 
That way you could adopt a trust model for youself
where you don't mark anyone else as "trusted" (so that
all keys have to be signed by you to be used), but you
can still say: "Ah, that key is signed by Bob and
David, and they have said that they have made careful
checks on this key, and I know I trust them and that
they both know X, so I'll lsign this key 0x11 so that
I can use it."



ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com

More information about the Gnupg-devel mailing list