how to handle "bad" signers?
dshaw at jabberwocky.com
Sat Nov 5 15:33:09 CET 2005
On Sat, Nov 05, 2005 at 12:30:46PM +0100, Thomas Kuehne wrote:
> 4) The owners are bad signers and didn't take part in the ID
> verification step of the signature process.
> 1) and 3) are defiantly not the reasons in the analyzed cases.
> I really hope 2) is the cause, but in at least one case I am sure of 4).
I'm sure it's 4, especially in the case when the person in question
never attended the party. Some people just sign all the keys and call
it a day.
> How should 4) be dealt with?
> As far as I am aware the is no negative signature or any other way to
> mark those keys - except for local trust settings.
That is correct. It really has to be this way, for good and for bad.
Trust is inherently subjective - even the 1-2-3 trust levels are just
guidelines and there is no way to enforce them beyond asking people
nicely not to abuse the system.
Of course, it would be possible to propose a different trust model
that takes into account such things (a reputation system), but that
would be a reasonably different beast than the current system. Not
impossible, but it would take some working out of details. OpenPGP
currently has no way to make a "negative" signature.
More information about the Gnupg-users