Signing a Key
Jason Harris
jharris at widomaker.com
Sat Feb 5 18:28:34 CET 2005
On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote:
> On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote:
> 0x11 signatures are also interesting things. When made by people (as
> opposed to robots) they are in effect someone making a public
> statement to say "Hey, look, I made a lousy signature". I can't
> imagine why someone would choose to advertise far and wide how
> terrible their signing policy is, but GnuPG allows people to do stupid
> things if they really want to.
You (continue to) assume _all_ humans who issue 0x11 signatures do so
without employing encrypted challenges?
> > (Thus, GPG's --min-cert-level probably needs to be settable per signer -
> > after reviewing the signer's policies - to account for these differences.)
>
> Your own statistics argue against this. 589 people in the entire
> OpenPGP world actually issued 0x11 signatures. Just 293 people issued
> more than one. Given the number of people using OpenPGP, 293 people
> is a rounding error. That's not worth having a whole new trust model
> for, especially given the serious security ramifications of 0x11
> signatures, be vastly more confusing to new users, and be incompatible
> with PGP to boot.
Even ignoring 0x11 signatures, a 0x12 signature from a given issuer
implies less trust (due to less checking) than a 0x13 signature from
the same issuer. What is the point in (any OpenPGP program) throwing
this extra data away (by ignoring it in trust calculations)?
--
Jason Harris | NIC: JH329, PGP: This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web: http://keyserver.kjsl.com/~jharris/
Got photons? (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050205/446236a6/attachment.pgp
More information about the Gnupg-users
mailing list