Verification via the web of trust
Doug Barton
dougb at dougbarton.email
Wed Mar 23 22:07:38 CET 2016
On 3/22/2016 11:14 AM, Andrew Gallagher wrote:
> the question most useful to a user is "given this particular
> signature, how much confidence should I invest in it?".
No, the question *most* users that bother to use the signature at all
ask about it is, "Did it validate?"
The answer to *your* question, "How much confidence should I invest in
it?" is, "Very little."
Except in certain specialized situations the only utility for a PGP
signature is, "Does it show that the thing signed arrived unchanged?"
You cannot reasonably place more confidence in it than that, regardless
of the number of known signatures the key has.
1. You don't know if the key was in full control of the
person/organization it purports to represent before, during, or after
the signatures you are trusting were applied.
2. You don't know if the person in control of the key at the time the
thing you care about was signed was being coerced, or not.
And as Robert pointed out, for organizational keys there is no way that
you can associate control of the key with a known, trusted individual.
So trying to validate a key in the manner you described in your e-mail
is at best a fool's errand. If you enjoy the work, by all means help
yourself. But let's please stop pretending that signatures mean more
than they really do.
Doug
More information about the Gnupg-users
mailing list