Verification via the web of trust

Doug Barton dougb at
Thu Mar 24 07:34:08 CET 2016

On 03/23/2016 04:38 PM, Andrew Gallagher wrote:
> On 23 Mar 2016, at 21:07, Doug Barton <dougb at> wrote:
>>> On 3/22/2016 11:14 AM, Andrew Gallagher wrote:
>>> the question most useful to a user is "given this particular
>>> signature, how much confidence should I invest in it?".
>> No, the question *most* users that bother to use the signature at all ask about it is, "Did it validate?"
> You're contradicting something I didn't say.

Yes, I am. I'm trying to make a point. One which I think you failed to 

>> The answer to *your* question, "How much confidence should I invest in it?" is, "Very little."
> "Very little" is still better than "nothing", which is the only alternative on offer.
>> Except in certain specialized situations the only utility for a PGP signature is, "Does it show that the thing signed arrived unchanged?"
> Unchanged compared to what? ;-)

I'm assuming that this is not a serious question.

>> You cannot reasonably place more confidence in it than that, regardless of the number of known signatures the key has.
>> 1. You don't know if the key was in full control of the person/organization it purports to represent before, during, or after the signatures you are trusting were applied.
>> 2. You don't know if the person in control of the key at the time the thing you care about was signed was being coerced, or not.
>> And as Robert pointed out, for organizational keys there is no way that you can associate control of the key with a known, trusted individual.
> All true. And all beside the point that I was making, which is that a validated signature may not be much, but it's a) all that we have, and b) better than nothing.

No, it's *not* beside the point. You keep saying "better than nothing," 
which is technically correct, but not sufficient. We need to understand 
and discuss exactly *how much* better than nothing a valid signature is 
before we can seriously discuss how much weight to put on it, or how 
much spelunking through the WOT we're willing to perform, or (more 
importantly) recommend.

>> So trying to validate a key in the manner you described in your e-mail is at best a fool's errand. If you enjoy the work, by all means help yourself. But let's please stop pretending that signatures mean more than they really do.
> Spending a lot of bandwidth refuting straw man points that I didn't actually make is also a fools' errand. ;-)

Ok, so let me be more direct, since I was obviously too subtle the first 
time. You described downloading keys and validating signatures in an 
effort to validate a key which signed a random software package that you 
downloaded from the Internet which is, by and large, a colossal waste of 
time. Further, you seem dangerously misinformed about what value to 
place on the work that you performed (that is, any actual increase in 
trust or validity that you placed on the key after you were done ... 
hint: It's zero).

Because of the three points I listed above, any work spent validating 
they key that made the signature is simply a waste of time. You cannot, 
and more importantly should not, impart any additional "trust" in 
signatures made by that key due to the work you performed.

Now it's your time to spend, so if you want to spend it thusly, that's 
great. More power to you. But before you create any grand plans or 
recommend that others do the same kind of work you really need to 
understand the situation better.

hope this helps,


More information about the Gnupg-users mailing list