Signature without policy meaningless? (was Re: UI terminology for calculated validities)

Peter Lebbing peter at digitalbrains.com
Fri May 2 19:21:59 CEST 2014


On 02/05/14 17:21, NdK wrote:
> Too bad (IIUC) you can't say "I certify that this person is *really* the
> one given in this UID, but I absolutely don't trust his identity
> validations"...

For yourself or as a public statement?

For yourself, it's as easy as signing the key, and then assigning "I do NOT
trust" as ownertrust to that person. So you can do what you want, unless I
misunderstand you.

As a public statement; now we're going into trust signature territory, which is
not really a common deployment in the WoT. But I guess you could simply make a
normal signature instead of a trust signature. True, you do not make a public
statement of distrust, but you don't make a statement of positive trust either.

An example would be when the HR department of your employer signs a key of one
of the employees who is not supposed to be introducing other people into the Web
of Trust, which actually would happen more often than not. The HR department
would simply issue a normal signature. Now when there's a new HR person who is
supposed to introduce other employees into the Web of Trust, they would issue a
trust signature to that new HR person.

But without trust signatures, your exportable signatures do not indicate that
you trust that person to certify others; they make no statement about that
aspect at all. It only potentially influences validity, never ownertrust.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>



More information about the Gnupg-users mailing list