discussion on increasing amount of gpg signatures...

David Shaw dshaw@jabberwocky.com
Sun Oct 14 19:13:01 2001 

--liOOAslEiF7prFVr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Oct 12, 2001 at 08:21:57PM -0700, Len Sassaman wrote:

> On Fri, 12 Oct 2001, Ben Paul Wise wrote:

>=20

> > Johan et al:

> >

> > The "web of trust" is not meant to determine honesty, reliability,

> > discretion, etc.   It is meant to be a web of certifications that the k=

eys

> > are actually in use by those who appear to be using them.

>=20

> And furthermore, this varies by degrees as well.

>=20

> Some people have "high-security" signing keys, which they use to sign

> keys belong to people of whose identity they are absolutely positive; "low

> security keys" they use to sign online acquaintences' keys; pseudonym

> signing keys, etc.


Don't forget that OpenPGP lets people put this sort of information
into the signature itself.  There are 4 levels of classification
ranging from "I'm not going to say", to "I checked this extensively".

Of course, one person's "extensively" is likely to be different from
another person's, so you must still consider who the signer is, but
it's handy to be able to do it without separate keys.

At the moment, GnuPG (and PGP too) mark all signatures[1] as "I'm not
going to say".  I think I feel a patch coming on..

David

[1] Actually, GnuPG marks self-signatures as "I checked this
    extensively", which makes sense.  If you aren't sure that you are
    yourself, then you have other problems.

--=20
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+--------------------------------------------------------------------------=
-+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson

--liOOAslEiF7prFVr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQEVAwUBO8nHEIccwqs8s7QVAQF1qQf+P1zezOZJi+o3C7iSciJMGmzbDt/R2F4z
XOHjHw5SqD+zUp3aHzULEb4f8WGwka0Svo9IXedI/kvV8meFFSQWIF8NzaATUM2k
P4DxVKgp0+hgh1Tsft76z0a139QfsMaQy2B9CrpCjxRoYdyWUnICBFMSYpDbZLuO
Ql9MN2fTvOZ6mntbclKnt/oJc8NqpG6QyDGlbjlQLsCNen5sJ/ZdAD8Fdz6V1jNg
NMOPinmnjb6YTmMIFr0HdMKfnYgZ/5sUOHKXSy6+YL/VURLM+GBdSz27FT68uzl8
8kSKpvFLDtWzhU5/Np5zIx/Ef+jql68tZiXAobh/aNdoOqxaQFSnKw==
=5Km8
-----END PGP SIGNATURE-----

--liOOAslEiF7prFVr--