how to handle "bad" signers?

David Shaw dshaw at
Sat Nov 5 15:33:09 CET 2005

On Sat, Nov 05, 2005 at 12:30:46PM +0100, Thomas Kuehne wrote:

> 4) The owners are bad signers and didn't take part in the ID
> verification step of the signature process.
> 1) and 3) are defiantly not the reasons in the analyzed cases.
> I really hope 2) is the cause, but in at least one case I am sure of 4).

I'm sure it's 4, especially in the case when the person in question
never attended the party.  Some people just sign all the keys and call
it a day.

> How should 4) be dealt with?
> As far as I am aware the is no negative signature or any other way to
> mark those keys - except for local trust settings.

That is correct.  It really has to be this way, for good and for bad.
Trust is inherently subjective - even the 1-2-3 trust levels are just
guidelines and there is no way to enforce them beyond asking people
nicely not to abuse the system.

Of course, it would be possible to propose a different trust model
that takes into account such things (a reputation system), but that
would be a reasonably different beast than the current system.  Not
impossible, but it would take some working out of details.  OpenPGP
currently has no way to make a "negative" signature.


More information about the Gnupg-users mailing list