how to handle "bad" signers?

Alphax alphasigmax at
Sat Nov 5 13:00:03 CET 2005

Hash: SHA256

Thomas Kuehne wrote:
> I've started to analyze the trust relations between the keys of various
> keysigning parties. The data below is generalization of several keys
> signing parties.
> the setting:
> * more than 20 potential participants
> * more than 15 attendees
> * 1-3 keys that signed every single key of all announced participants,
> even those that most likely never attended the party
> The interesting point is that those 1-3 keys haven't got a single
> signature from any of the other participants.
> 4) The owners are bad signers and didn't take part in the ID
> verification step of the signature process.
> How should 4) be dealt with?
> As far as I am aware the is no negative signature or any other way to
> mark those keys - except for local trust settings.

Don't sign their keys?

Tell them if you do get a chance to sign their keys, "I am not going to
sign your key because you do not understand the implications of the web
of trust" and make them revoke their signatures on all the keys they
have signed without verifying them?

If you are lucky, they will be level 1 signatures, so you can exclude
them. If you are unlucky, they will be nonrevokable level 3 trust
signatures 10 deep.

Setting ownertrust to "none" in these cases is a good idea; at least
then your WOT won't be contaminated by their signatures.

However, I find it unlikely that they would even enter into your WOT to
start with; if that is the case, you need not even worry about what
their signatures are doing. Just set ownertrust to "none" and forget
about it. Use the --always-trust option when encrypting (IIRC GPG will
still "warn" you but will at least let you encrypt).

There is of course possibilty 5) which appears to happen most often with
PGP newbies (because it's TOO easy to use, and the instructions likely
don't require any understanding): the possiblity that they should have
made local signatures on the keys, but didn't, and PGP automagically
"refreshed" their entire keyring, spreading these signatures into the
wild. For an excellent example of this, check the PGP global directory
key; there are many signatures which have been revoked due to accidental
non-local signing, and many keys in the keyserver network have PGP GD
sigs on them, again due to "automagic" refreshing (most likely through

I realise that this has turned into a bit of a screed, but it looks like
the best policy is: Don't do stuff unless you know what you are doing!
Don't use software that does stuff behind your back! Use Free software!

- --
Alphax                      |   /"\
Encrypted Email Preferred   |   \ /     ASCII Ribbon Campaign
OpenPGP key ID: 0xF874C613  |    X   Against HTML email & vCards    |   / \
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird -


More information about the Gnupg-users mailing list