WoT question - policy

Stefan Claas stefan.claas at posteo.de
Thu Nov 15 21:05:05 CET 2018


On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users
wrote:

Hi,


> > When i first learned about PGP in 94/95 i also thought why should
> > people sign each other's key for a WoT and why do we need a global
> > WoT and what is it good for.  
> 
> This should be obvious.

Please elborate a little bit more, because new user or old farts like me
maybe do not understand what's it's purpose, i.e to publicity state
to the whole world (thanks to key servers) that people use PGP or
GnuPG?

> > With my humble approach i like to be honest, in that form, that i
> > did my best for certifying someones key which might be useful for
> > someone else, entering the WoT, without letting third parties
> > know   that i know a person personally, or have a longtime online
> > friendship etc. or that i belong to a certain group of people.  
> 
> With differing signature levels you surely do let people know that
> kind of data. There are even small tools available, which produces a
> diagram of relations between people/keys from their signatures,
> including the signature level data. This can be done via recursively
> fetching the keys from a key server.

I disagree, with my humble approach imho third parties do not know
that people are my real friends, colleagues, or that i belong to a
certain group.

> > With the sig0 approach i have the following problem: I could create
> > a couple of fake keybase accounts, for example, give each other
> > a sig0 and then what is this good for if i follow the advise from
> > the blog and what trust should a third party gain from this many
> > sig0 on such a key?   
> 
> You can sign sig0 without havin any trouble of this kind. That's the
> reason why we have the trustdb since GnuPG 2.?. It depends on the
> internal set trust and gpg computes the calculated trust level for the
> key in question.

I am no expert, but i like to know from my example (because i don't
understand this) how could i trust this internal computation, when it
is only visible to me and not to third parties?

> I do use singanture levels as well, but I am thinking about this
> practice for a while now. Even giving a sig3 changes nothing, if I
> assigned just a marginal in the trustdb. The Chain is relevant, not
> the level you assigned.

If people read between the lines, so to speak, when reading my
policy they would hopefully help to strengthen the WoT in that
they could adopt it or improve it and sign each others key that
way to build a stronger chain. Or i am to naive and blue eyed?

I mean, what would have people to loose or give up when using my
approach? Combining a classical verification method with modern
technology is for me a good thing and i believe for honest people too.

I bet if Werner, for example, would do the same, his letterbox would
be filled imeadetily... :-)

O.k the one thing that may be a bit difficult today is to actually write
a postcard and go to the post office, in surveilled Internet age, where
Facebook and WhatsApp etc. rules. :-)

Regards
Stefan

-- 
https://www.behance.net/futagoza
https://keybase.io/stefan_claas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181115/1694b386/attachment.sig>


More information about the Gnupg-users mailing list