WoT question - policy

Dirk Gottschalk dirk.gottschalk1980 at googlemail.com
Thu Nov 15 22:54:01 CET 2018 

Hello Stefan.

Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas:
> On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users
> wrote:
> 
> > > When i first learned about PGP in 94/95 i also thought why should
> > > people sign each other's key for a WoT and why do we need a
> > > global WoT and what is it good for.  
> > 
> > This should be obvious.
> 
> Please elborate a little bit more, because new user or old farts like
> me maybe do not understand what's it's purpose, i.e to publicity
> state to the whole world (thanks to key servers) that people use PGP
> or GnuPG?

The intention of the WOT is to create trust chains. This implies a
chain of signatures, quantity of signatures is not really important,
IMHO.


> > > With my humble approach i like to be honest, in that form, that i
> > > did my best for certifying someones key which might be useful for
> > > someone else, entering the WoT, without letting third parties
> > > know   that i know a person personally, or have a longtime online
> > > friendship etc. or that i belong to a certain group of people.  

> > With differing signature levels you surely do let people know that
> > kind of data. There are even small tools available, which produces
> > a diagram of relations between people/keys from their signatures,
> > including the signature level data. This can be done via
> > recursively fetching the keys from a key server.

> I disagree, with my humble approach imho third parties do not know
> that people are my real friends, colleagues, or that i belong to a
> certain group.

The implication matters. For example: If you sign a three keys of,
let's assume kidnappers, with level 3. I guess, police won't read and
understand your policy first, you'll get a little trouble for sure.
Okay, that is a bad example. But, the diagram will result in level 3
Relations, what can lead to assumptions somebody does not want or
intent.


> > > With the sig0 approach i have the following problem: I could
> > > create a couple of fake keybase accounts, for example, give each
> > > other a sig0 and then what is this good for if i follow the
> > > advise from the blog and what trust should a third party gain
> > > from this many sig0 on such a key?   

> > You can sign sig0 without havin any trouble of this kind. That's
> > the
> > reason why we have the trustdb since GnuPG 2.?. It depends on the
> > internal set trust and gpg computes the calculated trust level for
> > the
> > key in question.

> I am no expert, but i like to know from my example (because i don't
> understand this) how could i trust this internal computation, when it
> is only visible to me and not to third parties?

It is based on your trust into the signers. There is a chain in trust
dependencies for the trustdb. The levels full, marginal and so on lead
to basical calculations in how reliable a key is, which is indirectly
signed by trusted keys. I did not dig deeper into the GPG internals for
this system, but I've already seen it works well, at least for me.


> > I do use singanture levels as well, but I am thinking about this
> > practice for a while now. Even giving a sig3 changes nothing, if I
> > assigned just a marginal in the trustdb. The Chain is relevant, not
> > the level you assigned.

> If people read between the lines, so to speak, when reading my
> policy they would hopefully help to strengthen the WoT in that
> they could adopt it or improve it and sign each others key that
> way to build a stronger chain. Or i am to naive and blue eyed?

I see what you are trying to approach.


> I mean, what would have people to loose or give up when using my
> approach? Combining a classical verification method with modern
> technology is for me a good thing and i believe for honest people
> too.

I don't say your approach is bad.

> I bet if Werner, for example, would do the same, his letterbox would
> be filled imeadetily... :-)

> O.k the one thing that may be a bit difficult today is to actually
> write a postcard and go to the post office, in surveilled Internet
> age, where Facebook and WhatsApp etc. rules. :-)

Indeed. ^^

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen, Germany

GPG: DDCB AF8E 0132 AA54 20AB  B864 4081 0B18 1ED8 E838
Keybase.io: https://keybase.io/dgottschalk
GitHub: https://github.com/Dirk1980ac

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181115/5a2058e9/attachment.sig>

More information about the Gnupg-users mailing list