Your Thoughts

Stefan Claas sac at
Wed Jul 3 19:24:05 CEST 2019

Alyssa Ross wrote:

Apologies for my late reply, I have overlooked your reply, sorry!

> For example, why isn't ask-cert-level a default? I'm guessing it's just
> because at some point it didn't exist, and the developers didn't want to
> make a backwards incompatible change. But it means that, out of the box,
> signatures on other keys are next to useless, because it's not possible
> to specify how carefully you've checked a key. This leads to people only
> signing keys that they've very carefully checked, and makes it so that
> marginal signatures see almost no use, which I think has likely been a
> major contributor to the failure of the web of trust.

I would even say if --ask-cert-level would be a default it does
not guarantee how carefully a user has done key management. If you
look at WWW based key server interfaces you seldom see people who
have a policy link attached to their signature. And even if they would have
one, they differ from user to user, making to understand the WoT harder.

I tried to formulate such a policy a while ago, to strengthen the classical
(global) WoT a bit, but responses to my procedure were minimal.

> A large part of what makes alternative encryption software like Signal
> successful is its simplicity. I don't have to worry about the 3000
> different setting combinations available to me, because there's design
> work been put into it to set me up for success out of the box. I've
> spent hours of my life learning about how to use GnuPG, and have ended
> up with a way of using it that seems completely different to anybody
> else's, but I still don't think I'm doing it right. It's not possible to
> figure out how to use it as intended, because there's no intended way to
> use it. There's no high level design for how people are supposed to use
> the software. And without that, it's never going to be possible to use
> GnuPG properly no matter how much time one is willing to invest.

Normally one needs only a few commands to use GnuPG successfully for
encryption and signing messages or encrypting files. Sure, when looking
at the GnuPG FAQ or the source code of GnuPG it is first to much
what someone has to study before he / she can use the software.


More information about the Gnupg-users mailing list