Displaying signature algorithms when doing --check-sigs, disabling algorithms for web of trust.

Tomasz Wozowicz zirconiumnzinc at gmail.com
Sat May 14 22:42:17 CEST 2011

On Thu, May 12, 2011 at 6:07 AM, Jerome Baum <jerome at jeromebaum.com> wrote:
> On Wed, May 11, 2011 at 13:33, Tomasz Wozowicz <zirconiumnzinc at gmail.com>
> wrote:
>> Hi again
>> I have problems with finding that message with search engine. Do you
>> remember when that disscusion took place? At least the year?
> This Apr, subject was: "Updating signature cert-level". For whether it makes
> sense, read the discussion. For the solution, to quote:
>> GnuPG supports reading a trust "map" generated by an external process that
>> can use whatever trust rules it likes.
> I think he's referring to import-ownertrust in combination with trust-model
> direct.
> --
> Jerome Baum
> tel +49-1578-8434336
> email jerome at jeromebaum.com
> --
> PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
> PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

Thanks  Jerome.
"GnuPG supports reading a trust "map" generated by an external process
that can use whatever trust rules it likes."
This requires another piece of software (or programming skills). I
don't know of any software that does this, and i lack programming
skills. So this solution is not for me :(
I'm not a cryptographer, however I think that those issues are
serious, because as we know, algorithms that are now considered
secure, will probably become broken one day. While this most likely is
not going to happen overnight, suddenly and unexpectedly, it could be
still good for users to enforce their policy regarding minimal
strenght of algorithms accepted by their web or trust., or if person
is using "direct" trust model, it could be useful when person is doing
--check-sigs (or check in the --edit-key shell), to display
signatures, along with their algorithms, and signers key/uid validity,
to have enough confidence when setting validity of keys/uids signed by
other people. Of course new versions of GnuPG could enforce minimal
strength of algorithms, however it doesn't allow users to decide about
confidence/security level, so in my opinion GnuPG should only set sane
defaults. Also it will allow someone who  is still using older version
of GnuPG for some reason (like older packages in distributions
repository) to use strong enough algorithms to verify authenticity of
new software.

Should i crosspost the first message of this thread and this one to
gnupg-devel? Or maybe i should contact Mr. Koch directly?
Werner if you read this thread please reply. Thanks.

More information about the Gnupg-users mailing list