The disadvantages of online KSP

David Shaw dshaw at jabberwocky.com
Sun Dec 26 14:11:54 CET 2004


On Sat, Dec 25, 2004 at 11:27:13PM -0500, Atom 'Smasher' wrote:
> On Sat, 25 Dec 2004, Ben Branders wrote:
> 
> >Or am I missing something here?
> >And has online KSP other disadvantages?
> ======================
> 
> where's the party? that's just a key-signing.
> 
> if you can't do any in-person identity checking, it's not much different 
> than just sending an email to anyone with a key and signing it if they 
> respond.
> 
> i at least hope that no one would sign one of these keys with anything 
> other than a level 0-1 signature, but certainly people will sign with 
> other levels.

Be very careful with the signature levels.  They're not as meaningful
as many people think.  First of all, they are really only for human
eyes - the web of trust does not give more trust with a level 3 than
with a level 2.  PGP and (until recently) GnuPG treats all signatures,
whether 0, 1, 2, or 3 alike.  These days, to help deal with a large
number of pointless and completely unchecked signatures, GnuPG
actually discards any level 1 signatures it sees.  Finally, note that
0 is not lower than 1.  0 is "I do not participate in this signature
scheme so I will not answer".  1 is the lowest.

The bottom line is that signature levels are vaguely useful as an
indication from one human being to another, but for the sake of the
web of trust, don't think that a lousy signature can be made less bad
by making it level 1.  A lousy signature is a lousy signature.

David



More information about the Gnupg-users mailing list