Signature without policy meaningless? (was Re: UI terminology for calculated validities)

NdK ndk.clanbo at gmail.com
Sun May 4 09:21:24 CEST 2014


Il 03/05/2014 10:50, Nicholas Cole ha scritto:

>> Well, if ownertrust answers that, it's what I need: a way to say "I am
>> sure this key belongs to X, but I don't want it to be used to introduce
>> more keys in the WoT".
> But it doesn't work like that anyway.  Unless you are using Trust
> signatures (and few people do) then a signature on a key does not
> encourage a 3rd party to trust signatures made by that key.
Ah, OK. Now it makes more sense.

Tks for the clarification.

> Even if a key is recognised as authenticated/validated/certified for
> association with a particular email address, the signatures made by
> that key will not be trusted by anyone who has not made an active
> decision to make a particular key a trusted introducer.
IIUC, *unless* I tsig it.
But if I use tsig I'm doing both an "identity" signature and a trust
signature. I see no way I can publicly say "I don't really know
real-world identity of this subject, but I trust him as an introducer"
(yep, might sound strange [*], but often a pseudonym is more meaningful
than RL name, but pseudonyms aren't "good" in WoT): if I tsig his key,
I'm cerifying his pseudonym -- that I shouldn't do since it's not on any
document.

[*] well, not too strange in many cases, when it's "healtier" that a
pseudonym is *not* easily correlated to a RL identity.

> In fact, this is a reason (though one of many) why the web of trust
> has never quite lived up to its promise.  No UI that I am aware of
> sets even marginal trust by default on newly imported keys.  Most
> users (I suspect) will only ever end up trusting keys that they
> themselves have signed.  That is the default position.
Understandable/safer, but harder to bootstrap :)

BYtE,
 Diego.



More information about the Gnupg-users mailing list