Web of Trust in Practical Usage

Quinn Wood wood.quinn.s at gmail.com
Mon Apr 29 06:29:09 CEST 2013

My question in simpler terms could probably be summed up "How can one find
the most popular- most signed- key (matching some query such as name or
email of course) while successfully avoiding falsely inflated signature
counts (such as keys which only have more signatures than another due to
their age or due to actual malicious acts like mass signing.)

On Sun, Apr 28, 2013 at 6:34 AM, Peter Lebbing <peter at digitalbrains.com>wrote:

> I might be misinterpreting your request, because I can see two slightly
> different interpretations and I'm going with only one of those! ;)
> On 27/04/13 18:31, Quinn Wood wrote:
> > However, gnupg does not recurse signatures on imported or updated
> keys[...]
> > determining the most trusted (based on signature webs, hops, and/or
> other web
> > of trust concepts) key
> While signatures have a certain transitive quality (A signed B, B signed C,
> there is a path from A to C), /ownertrust/ is not applied transitively[1].
> This
> means you'll still need to assign trust to a key introducing another key.
> So if you're A, A signed B, B signed C, C signed D, you still need to
> assign
> ownertrust to C /yourself/ to get D valid, and this has nothing to do with
> ownertrust you assign to B.
> So while tools like PGP Pathfinder can find signature paths, it doesn't
> really
> help for validity, which needs ownertrust of a direct parent of the key
> you want
> validated. There are no ownertrust paths.
> Suppose you are downloading key D from a keyserver, and some tool decides
> there
> is a path from A to D and it needs key C for that. If C is not already in
> your
> keyring, it could download C for you. Superficially, this would seem to
> help
> establish trust in D. But what good does it really do? Because you'll need
> to
> assign ownertrust to C, and if you don't know C, how can you trust him or
> her?
> And if you know C, why isn't he or she in your keyring already?[2]
> I am most definitely not saying your request isn't a good one. Neither am I
> saying there isn't a beatiful, elegant solution. Because I don't have
> enough
> grasp of the material myself, and I might miss a lot. I'm also personally
> very
> interested in tools to (meaningfully) expand the number of valid keys in my
> keyring, which is why I was thinking about the exact same thing as you,
> but in
> that line of thought I encountered the obstacles I just described.
> So yay for more meaningfully valid keys on my keyring. I just don't see
> how :).
> HTH,
> Peter.
> [1] I'm leaving trust signatures out of the picture, as they're uncommon
> in the WoT.
> [2] If C was in your keyring already and you assigned ownertrust, the newly
> imported D would immediately get some validity, so there's no extra tool
> needed.
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130428/be1f6016/attachment-0001.html>

More information about the Gnupg-users mailing list