Signature without policy meaningless? (was Re: UI terminology for calculated validities)

NdK ndk.clanbo at gmail.com
Sat May 3 09:54:48 CEST 2014


Il 03/05/2014 01:10, Daniel Kahn Gillmor ha scritto:

> Having such an assertion cryptographically bound to the OpenPGP
> certificate in parseable form implies in some sense that you think a
> mechanical process (e.g. WoT calculated validity) should be able to make
> use of it.  But how would that work?
Making WoT calculator avoid looking for keys signed by that user if
reached throught my certification.

>  It sounds like you'd want to ask
> an OpenPGP to introduce an additional concept on top of the notions of
> validity and ownertrust (which are already confusing):
They work: I'm *really* confused. :)

> some sort of meta-ownertrust: instead of ownertrust's question of:
> "how much am i willing to rely on NdK's identity assertions",
Well, if ownertrust answers that, it's what I need: a way to say "I am
sure this key belongs to X, but I don't want it to be used to introduce
more keys in the WoT".

> meta-onwertrust would ask
> "how much am i willing to believe NdK's assessments of certification
> practice quality?"  Who is going to understand this question?  What kind
> of UI would you suggest for it?
No, it's not what I meant.

BYtE,
 Diego.



More information about the Gnupg-users mailing list