Robot CA at toehold.com

David Shaw dshaw@jabberwocky.com
Mon Dec 9 01:01:01 2002


On Sun, Dec 08, 2002 at 06:48:23PM -0500, Jason Harris wrote:
> On Sun, Dec 08, 2002 at 05:51:06PM -0500, David Shaw wrote:
> > On Sun, Dec 08, 2002 at 05:19:41PM -0500, Jason Harris wrote:
> > 
> > > > Do you intend to give a "sig!1" to everybody who ever answered to an
> > > > encrypted e-mail you sent to them? They all prooved that their e-mail
> > > > address is valid.
> > > 
> > > Not at all; I only do so when I have a good reason.
> > 
> > Keep in mind that despite you tagging the signature as persona, no
> > OpenPGP programs treats it any differently.  You're making a strong
> > binding there, and calling it weak doesn't make it weak.  People
> > depend on you as a member of the web of trust to not do this.
> 
> I'm aware of the current shortcomings of keyanalyze, pathfinder,
> and GPG, but still feel that 0x11/persona signatures have their place.

Don't forget PGP.  You're making signatures that act incorrectly for
exactly 100% of the user base of OpenPGP.  Are you sure you want to do
that?

Even if we could wave a magic wand and suddenly upgrade every other
piece of software, PGP doesn't handle multiple signature levels and
most likely will never handle them.

Anyway, you know all this.  It is one of the nice things about OpenPGP
that everyone gets to decide for themselves what they trust.  In my
opinion, a key that issues weak signatures is a key that doesn't get
trust.  Of course, that's just me.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson