how to handle "bad" signers?

Alphax alphasigmax at gmail.com
Sat Nov 5 13:00:03 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thomas Kuehne wrote:
> I've started to analyze the trust relations between the keys of various
> keysigning parties. The data below is generalization of several keys
> signing parties.
> 
> the setting:
> * more than 20 potential participants
> * more than 15 attendees
> * 1-3 keys that signed every single key of all announced participants,
> even those that most likely never attended the party
> 
> The interesting point is that those 1-3 keys haven't got a single
> signature from any of the other participants.
> 
<snip>
> 4) The owners are bad signers and didn't take part in the ID
> verification step of the signature process.
> 
<snip>
> 
> How should 4) be dealt with?
> 
> As far as I am aware the is no negative signature or any other way to
> mark those keys - except for local trust settings.
> 

Don't sign their keys?

Tell them if you do get a chance to sign their keys, "I am not going to
sign your key because you do not understand the implications of the web
of trust" and make them revoke their signatures on all the keys they
have signed without verifying them?

If you are lucky, they will be level 1 signatures, so you can exclude
them. If you are unlucky, they will be nonrevokable level 3 trust
signatures 10 deep.

Setting ownertrust to "none" in these cases is a good idea; at least
then your WOT won't be contaminated by their signatures.

However, I find it unlikely that they would even enter into your WOT to
start with; if that is the case, you need not even worry about what
their signatures are doing. Just set ownertrust to "none" and forget
about it. Use the --always-trust option when encrypting (IIRC GPG will
still "warn" you but will at least let you encrypt).

There is of course possibilty 5) which appears to happen most often with
PGP newbies (because it's TOO easy to use, and the instructions likely
don't require any understanding): the possiblity that they should have
made local signatures on the keys, but didn't, and PGP automagically
"refreshed" their entire keyring, spreading these signatures into the
wild. For an excellent example of this, check the PGP global directory
key; there are many signatures which have been revoked due to accidental
non-local signing, and many keys in the keyserver network have PGP GD
sigs on them, again due to "automagic" refreshing (most likely through
LDAP).

I realise that this has turned into a bit of a screed, but it looks like
the best policy is: Don't do stuff unless you know what you are doing!
Don't use software that does stuff behind your back! Use Free software!

- --
Alphax                      |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards
http://tinyurl.com/cc9up    |   / \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQ2yew7MAAH8MeUlWAQgPwAf/SmSJeK+V8kdQOu77VWGwLBRHzGs2pb8R
HY1GTlZiCKIqbUhAs3nz+9pTww5JlFV16N/8MQrF44VCrHDpytmPwsF+NcszfEeX
2/Iz2wQUjAqVepgmmxujqBIpcGMYPNrPk6yf+SByspOgVG6stFbBD3ZAMU41R36f
GLn/Hq6+A91qV1tAD1C9giHhDxy1WzZr8rHHPf68Cah54/8ndFhJnm/5tFrsAGVR
QG1og6ziaZzyexfAnCUhdxHaGkKry9UN58WGZGOKkth9Wdh/mTlduLezIR/Mff6r
4TQEWppp/LWg+mOnuik6OwsKuVHrxgZ4SUXUKtvtx3aa4oWrA4G4lw==
=CZoN
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list