hashed user IDs [was: Re: Security of the gpg private keyring?]

MFPA expires2011 at ymail.com
Sat Mar 12 22:23:08 CET 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Saturday 12 March 2011 at 8:22:06 PM, in
<mid:4D7BD5EE.80301 at sixdemonbag.org>, Robert J. Hansen wrote:


> On 3/12/2011 1:05 PM, MFPA wrote:
>> How does the WoT idea require me to know the names or email addresses
>> associated with the keys in the trust path? The text strings in User
>> IDs do not feature in the trust calculation.

> Yes, in fact, they do.

> In my past, there's an ex-CEO whom I'll just call
> "Ben."  Ben made some really astonishingly bad
> decisions that put him in prison for eighteen months,
> and left me with a permanent distrust for him.  If I
> see Frank has signed Ben's certificate, and I trust
> Frank, am I going to trust Ben?

> Of course not.

Presumably GnuPG factors this into the trust calculations by virtue of
the trust level you have assigned to Ben's key, not by parsing his
User IDs.



> Trust is not transitive.  If A trusts B and B trusts C,
> there is no requirement that A trusts C.

In real life, true. But what about the GnuPG default of trusting a key
that carries certifications from 1 fully trusted or 3 marginally
trusted keys. Unless you manually inspect each trust path, how would
you spot unknown keys from past real-life associates you distrusted?



> In fact, if
> it turns out A knows C, transitivity can break
> completely.

Indeed, if you know that a certificate belongs to somebody you
actually know, trust *calculations* are irrelevant. Of course you
might trust somebody's security procedures and keysigning policy but
wish to keep your valuables or your wife well away from him.



- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

A picture is a poem without words
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNe+REnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5piV8EAKTN
tjx4dkO4XZWWjW/IW+rt39i3YKVsrXcEhpyiH/Gc9RdOMxXaKd+SUkSCDRSAqd0d
wl4WFhGQpbR42kAYbMliDAnbKZpxuydlZMbL/MAx2ncZYBMAjQd6RP5FOx/W4NPh
8zeALI92omNd4QGtMLql6bZjKi9waDyV/sjReiCV
=slFP
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list