Why CAs or public keysigning?

Ingo Klöcker ingo.kloecker@epost.de
Thu Jun 19 16:06:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 19 June 2003 15:15, David Shaw wrote:
> On Thu, Jun 19, 2003 at 01:49:42AM +0200, Ingo Kl=F6cker wrote:
> > Of course we can't hinder people from overrating their signatures.
> > But the above wording would make it more obvious that just checking
> > the identity is not enough for a high-rated signature. I'm
> > convinced that most people that overrated their signatures did so
> > because they thought that carefully checking the identity of the
> > key owner would be enough for a level 3 signature. IMO it's not
> > enough.
> Signature levels are user-specific (i.e. my "2" might be someone
> elses "3", or even "1").  I agree with you that many (or even most?)
> people just hit "3" and continue, but that is actually fine: for
> them, that is what a level 3 signature is.

And that's the problem. If the meaning of signature levels is a matter=20
of taste then signature levels are completely useless because they can=20
mean anything. It seems only a signature policy will really tell me=20
what a signature is worth.

> FWIW, the help text for the signature level prompt does say something
> similar to what you suggest, but it is only an example since users
> must be able to decide for themselves what the levels mean.

Help text? Ahh, I have to enter '?' at the "Your selection?" prompt.=20
That's not at all obvious. Please change the prompt to something like=20
"Your selection (enter '?' for more information)?".


Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.2 (GNU/Linux)