Verification via the web of trust

Doug Barton dougb at
Wed Mar 23 22:07:38 CET 2016

On 3/22/2016 11:14 AM, Andrew Gallagher wrote:
> the question most useful to a user is "given this particular
> signature, how much confidence should I invest in it?".

No, the question *most* users that bother to use the signature at all 
ask about it is, "Did it validate?"

The answer to *your* question, "How much confidence should I invest in 
it?" is, "Very little."

Except in certain specialized situations the only utility for a PGP 
signature is, "Does it show that the thing signed arrived unchanged?" 
You cannot reasonably place more confidence in it than that, regardless 
of the number of known signatures the key has.

1. You don't know if the key was in full control of the 
person/organization it purports to represent before, during, or after 
the signatures you are trusting were applied.

2. You don't know if the person in control of the key at the time the 
thing you care about was signed was being coerced, or not.

And as Robert pointed out, for organizational keys there is no way that 
you can associate control of the key with a known, trusted individual.

So trying to validate a key in the manner you described in your e-mail 
is at best a fool's errand. If you enjoy the work, by all means help 
yourself. But let's please stop pretending that signatures mean more 
than they really do.


More information about the Gnupg-users mailing list