how to handle "bad" signers?
David Shaw
dshaw at jabberwocky.com
Sat Nov 5 19:43:19 CET 2005
On Sun, Nov 06, 2005 at 01:09:36AM +1030, Alphax wrote:
> David Shaw wrote:
> > On Sat, Nov 05, 2005 at 12:30:46PM +0100, Thomas Kuehne wrote:
> >
> <snip>
> >
> >>How should 4) be dealt with?
> >>
> >>As far as I am aware the is no negative signature or any other way to
> >>mark those keys - except for local trust settings.
> >
> >
> > That is correct. It really has to be this way, for good and for bad.
> > Trust is inherently subjective - even the 1-2-3 trust levels are just
> > guidelines and there is no way to enforce them beyond asking people
> > nicely not to abuse the system.
> >
> > Of course, it would be possible to propose a different trust model
> > that takes into account such things (a reputation system), but that
> > would be a reasonably different beast than the current system. Not
> > impossible, but it would take some working out of details. OpenPGP
> > currently has no way to make a "negative" signature.
> >
>
> If it did, there would be a corresponding "Web of Antitrust".
Yes, more or less. You could allow people who you trust to lower the
validity of other user IDs.
David
More information about the Gnupg-users
mailing list