Signing signature policies required for safe key usage?

Robert J. Hansen rjh at
Thu Mar 10 14:40:55 CET 2011

On 3/10/2011 7:56 AM, Hauke Laging wrote:
> Thus I think that we should not only certify other people's keys but
> also sign the respective signature policy document. You trust the key
> because it has valid signatures by other keys you trust. You can
> analogically trust a policy document because an attacker would not
> only have to steal the respective secret key but also all secret keys
> for the signatures you demand to accept the policy document as
> valid.

I don't believe it will ever happen.

For all that we like to believe people validate certificates, the blunt
reality is certificate validation is an unusual event.  Certificate
signing is a technical procedure and most users don't do it.  This is
why GnuPG allows for a trust model of "always", where all keys are
treated as validated even though they haven't been.

When the overwhelming majority of users validate keys by fiat, there's
no reason to think they'll either (a) write a policy document, (b) read
another person's policy document, (c) adhere to their own policy
document, or (d) randomly check certificates they've signed in order to
make sure the cert owner is adhering to his or her policy document.

I mean, in an abstract sense, yes, it would be nice if..., but I don't
expect it to ever happen.

More information about the Gnupg-users mailing list