how to handle "bad" signers?

Thomas Kuehne thomas-gmane at kuehne.cn
Sat Nov 5 12:30:46 CET 2005


I've started to analyze the trust relations between the keys of various
keysigning parties. The data below is generalization of several keys
signing parties.

the setting:
* more than 20 potential participants
* more than 15 attendees
* 1-3 keys that signed every single key of all announced participants,
even those that most likely never attended the party

The interesting point is that those 1-3 keys haven't got a single
signature from any of the other participants.

There are 4 possible reasons I can think of
1) Those keys are "roll" or "institutional" keys.

2) The key owners failed to push the received signatures back into the
keyserver network.

3) The key owners pushed the received onto one of the semi/unlinked key
servers.

4) The owners are bad signers and didn't take part in the ID
verification step of the signature process.


1) and 3) are defiantly not the reasons in the analyzed cases.

I really hope 2) is the cause, but in at least one case I am sure of 4).


How should 4) be dealt with?

As far as I am aware the is no negative signature or any other way to
mark those keys - except for local trust settings.

Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051105/e648e3b2/signature.pgp


More information about the Gnupg-users mailing list