Why CAs or public keysigning?

David Shaw dshaw@jabberwocky.com
Thu Jun 19 17:27:02 2003

Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jun 19, 2003 at 04:00:26PM +0200, Ingo Kl=F6cker wrote:
> On Thursday 19 June 2003 15:15, David Shaw wrote:
> > On Thu, Jun 19, 2003 at 01:49:42AM +0200, Ingo Kl=F6cker wrote:
> > > Of course we can't hinder people from overrating their signatures.
> > > But the above wording would make it more obvious that just checking
> > > the identity is not enough for a high-rated signature. I'm
> > > convinced that most people that overrated their signatures did so
> > > because they thought that carefully checking the identity of the
> > > key owner would be enough for a level 3 signature. IMO it's not
> > > enough.
> >
> > Signature levels are user-specific (i.e. my "2" might be someone
> > elses "3", or even "1").  I agree with you that many (or even most?)
> > people just hit "3" and continue, but that is actually fine: for
> > them, that is what a level 3 signature is.
> And that's the problem. If the meaning of signature levels is a matter=20
> of taste then signature levels are completely useless because they can=20
> mean anything. It seems only a signature policy will really tell me=20
> what a signature is worth.

They are useless by themselves, but quite useful *relative to a given
signer*.  While it is true that a "3" from someone else is different
=66rom a "3" from me, it's also true that a "3" from me means something
different than a "2" from me.

I've toyed with an idea for a trust model where you could give
different ownertrust values to users based on these levels.  For
example, you could say "For signatures made by 99242560, I trust
moderately for a level 2, but fully for a level 3".

> > FWIW, the help text for the signature level prompt does say something
> > similar to what you suggest, but it is only an example since users
> > must be able to decide for themselves what the levels mean.
> Help text? Ahh, I have to enter '?' at the "Your selection?" prompt.=20
> That's not at all obvious. Please change the prompt to something like=20
> "Your selection (enter '?' for more information)?".



Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3rc1 (GNU/Linux)
Comment: Key available at http://www.jabberwocky.com/david/keys.asc