OpenPGP third-party certifications do not imply trust [was: Re: Announcing paperbackup.py to backup keys as QR codes on paper]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 23 20:47:05 CET 2017
[ not on-topic for this thread, hence the subject change ]
On Thu 2017-02-23 05:00:54 -0500, Gerd v. Egidy wrote:
>> The certificate (aka public key) includes all signatures, all the data
>> on the keyserver. It's data you don't really need to back up since it is
>> public, and it can be huge. My key.asc file is 137,424 bytes following
>> your instructions.
>
> Seems you are trusted by much more people than me ;)
I'm calling this out because it's a common misconception, and i don't
want it to lie here unchallenged when someone is browsing the archives.
The people who "sign your key" (who have created an OpenPGP
certification that binds your primary key to your User ID) are only
identifying you and your key. They have said nothing about "trust" by
making those certifications.
For example, I am happy to certify the identity and key of someone who i
do not trust at all, as long as i know who they are and they've asserted
their key to me in-person, or across some reliable, non-forgeable
transport.
So the fact that Alice has a dozen certifications on her key and Bob has
two doesn't mean that Alice is trusted by more people than Bob at all.
It just means that more people have been willing to publicly assert that
they know Alice's identity and key than have been willing to publicly
assert the same information about Bob.
--dkg
More information about the Gnupg-users
mailing list