Signature without policy meaningless? (was Re: UI terminology for calculated validities)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat May 3 01:10:42 CEST 2014 

On 05/02/2014 01:21 PM, Peter Lebbing wrote:
> As a public statement; now we're going into trust signature territory, which is
> not really a common deployment in the WoT. But I guess you could simply make a
> normal signature instead of a trust signature. True, you do not make a public
> statement of distrust, but you don't make a statement of positive trust either.

Furthermore, what would such a machine-readable statement of "i would
never rely on his identity certifications" be useful for?

You can already make such an assertion if you want to, but it won't be
machine-readable.  For example, you can write and sign a text document
that says as much, and publish it on your blog, tweet it, put it in the
newspaper, whatever.

Having such an assertion cryptographically bound to the OpenPGP
certificate in parseable form implies in some sense that you think a
mechanical process (e.g. WoT calculated validity) should be able to make
use of it.  But how would that work?  It sounds like you'd want to ask
an OpenPGP to introduce an additional concept on top of the notions of
validity and ownertrust (which are already confusing): some sort of
meta-ownertrust: instead of ownertrust's question of: "how much am i
willing to rely on NdK's identity assertions", meta-onwertrust would ask
"how much am i willing to believe NdK's assessments of certification
practice quality?"  Who is going to understand this question?  What kind
of UI would you suggest for it?

*and* by creating a standardized mechanism, you're encouraging further
leakage of more-nuanced relationship information than would be found in
a the traditional simple identity certification model.

Sounds like a lot of protocol and UI complexity, with not much of a
benefit to me.

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140502/112695af/attachment.sig>

More information about the Gnupg-users mailing list