IDs, signatures and all that stuff

Martin Christensen factotum@gvdnet.dk
Mon Mar 11 20:43:01 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Mark" == Mark Brown <broonie@sirena.org.uk> writes:
>> Wouldn't that mean that I could create ad hoc bogus IDs for causing
>> general mayhem?
Mark> Not really.  The trust he's talking about is not for your IDs,
Mark> it's for trusting your signatures on other people's keys.  If
Mark> you've got two IDs on your key, one very widely signed and one
Mark> not signed except by yourself your signature on other people's
Mark> keys will still come into play on the web of trust even though
Mark> your second ID might not be verifiable.

I'm starting to feel rather stupid now, like a fairly intelligent
bloke such as myself _should_ grok this model without even blinking. I
wonder, then, how Joe Luser then is expected to understand a word of
it, especially given an assumed very low interest in technical matters
by default.

Anyway, I digress.

I am failing to see a couple of things here. Signatures are the glue
of the web of trust model, and trust is calculated on a per-key basis,
not on a per-ID basis. Then what is the point in signing IDs? But on
the other hand, if there's no signing on a per-ID basis, then, after
getting a number of signatures, someone might create bogus IDs.

I don't think that I'm mixing up trust and signatures here... but who
knows? Signatures should be all about verifying people's identities,
but in creating a new ID, how do I avoid having to have that
particular signed all over again[1]? Needless to say, pulling keys out
of the web of trust is a Bad Thing(tm), but that doesn't seem to be
the argument that most people make when they tell you to make a new ID
rather than a new key. The current system makes relatively good sense,
but to me it doesn't seem to make _perfect_ sense. ARGH!

Martin


[1] I guess that once someone has signed your key once, and therefore
should trust that you are who you say you are, then, because they
trust your key, they'll not be reluctant to sign a reasonable new ID.

- -- 
Homepage:       http://www.cs.auc.dk/~factotum/
GPG public key: http://www.cs.auc.dk/~factotum/gpgkey.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using Mailcrypt+GnuPG <http://www.gnupg.org>

iEYEARECAAYFAjyNBrcACgkQYu1fMmOQldXENgCfdwG4ylntuPqhEc1glOaqRHvw
v3wAoLuAQ6TAsITeTQO1xsZdrvP5PoVE
=hdPS
-----END PGP SIGNATURE-----