Global Directory signatures (was Re: GPG wants to check trustdb every day)

David Shaw dshaw at jabberwocky.com
Thu Dec 30 03:32:37 CET 2004


On Wed, Dec 29, 2004 at 03:03:50PM -0500, Atom 'Smasher' wrote:
> On Tue, 28 Dec 2004, Len Sassaman wrote:
> 
> > On Tue, 28 Dec 2004, Atom 'Smasher' wrote:
> >
> >>> * Ask the PGP folks to do something (what?)
> >> ===============
> >>
> >> if you're in contact with them, at least ask what the hell they're 
> >> thinking... this is a horrible pollution of the key-servers and WoT.
> >
> > How is this a pollution of the "web of trust"?
> =============
> 
> every signature on a key becomes part of the WoT... if (when?) automated, 
> expired or otherwise useless signatures start taking up a noticeable 
> percentage of the signatures collected on keys, it's noise. it's pollution 
> just as much as generating bogus keys and using them to sign real keys.

Generating bogus keys and using them to sign real keys is noise in the
web of trust.  The GD is actual useful signatures, though not useful
to all people.  Neither has any meaningful impact on the web of trust.
The web is just not designed that way.  If you don't give trust to a
bogus key that someone generated to be "funny", signatures from that
key are invisible to you.  Similarly, if you don't give trust to the
GD key, the GD signatures are invisible to you.  The web of trust is a
perfect example of a strict "opt in" system.

The worst thing that unusable signatures can do is to make keys larger
and make UI displays unattractive.  This isn't impacting the web of
trust.

David



More information about the Gnupg-users mailing list