trust your corporation for keyowner identification?
Peter Lebbing
peter at digitalbrains.com
Thu Nov 7 19:21:28 CET 2013
On 2013-11-07 17:09, Leo Gaspard wrote:
> If I understood correctly, the depth parameter you are talking about
> is useless, except in case there are trust signature. And you agreed
> with me for
> them to be taken out of the equation.
Of course it's not useless. You seem to misunderstand the Web of Trust.
I'll give an example.
I know and trust the people A, B, C, D and E. A has signed B, B has
signed C, C has signed D, D has signed E, and E has signed F. I meet up
with A, verify their identity, and sign their key. I assign ownertrust
to A, B, C, D and E. Et voilà, the keys A, B, C, D and E are all valid,
without me needing to meet up with my other friends to verify their key
details. A is at level 1, B at 2, C at 3, D at 4, and E at 5.
Unfortunately, F won't get valid because it is at level 6.
Now suppose C signs F as well. F is now at level 4, so it becomes
valid. However, I don't trust F, so even if F now signs G, G won't
become valid.
Signatures indicate verification, not trust or belief. Trust is in your
trust database or in trust signatures, but the latter are not commonly
used. Belief is expressed in validity calculated from your trust
database and signatures. I don't know if you can choose to disagree with
GnuPG, that is, if you don't believe a key is valid even though GnuPG
calculated that it is.
I could get back to all the other points you raise, but I think it's a
waste of time when you have reasoned from the standpoint that to get a
key to be valid, you need to sign it, and that is how it looks to me.
It's not much of a Web when you don't have any depth... it's more of
two intertwined strands then ;).
HTH,
Peter.
PS: My ownertrust for E is useless for now, because he/she is at level
5. However, if I get a shorter path to him or her later, it will become
useful then.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
<http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list