Verification via the web of trust

Andrew Gallagher andrewg at
Thu Mar 24 00:38:36 CET 2016

On 23 Mar 2016, at 21:07, Doug Barton <dougb at> wrote:
>> On 3/22/2016 11:14 AM, Andrew Gallagher wrote:
>> the question most useful to a user is "given this particular
>> signature, how much confidence should I invest in it?".
> No, the question *most* users that bother to use the signature at all ask about it is, "Did it validate?"

You're contradicting something I didn't say.

> The answer to *your* question, "How much confidence should I invest in it?" is, "Very little."

"Very little" is still better than "nothing", which is the only alternative on offer. 

> Except in certain specialized situations the only utility for a PGP signature is, "Does it show that the thing signed arrived unchanged?"

Unchanged compared to what? ;-)

> You cannot reasonably place more confidence in it than that, regardless of the number of known signatures the key has.
> 1. You don't know if the key was in full control of the person/organization it purports to represent before, during, or after the signatures you are trusting were applied.
> 2. You don't know if the person in control of the key at the time the thing you care about was signed was being coerced, or not.
> And as Robert pointed out, for organizational keys there is no way that you can associate control of the key with a known, trusted individual.

All true. And all beside the point that I was making, which is that a validated signature may not be much, but it's a) all that we have, and b) better than nothing. 

> So trying to validate a key in the manner you described in your e-mail is at best a fool's errand. If you enjoy the work, by all means help yourself. But let's please stop pretending that signatures mean more than they really do.

Spending a lot of bandwidth refuting straw man points that I didn't actually make is also a fools' errand. ;-)


More information about the Gnupg-users mailing list