--lsign --add-me or the invisible WoT

Stefan Claas sac at 300baud.de
Wed Jul 31 16:25:37 CEST 2019

Andrew Gallagher wrote:

> On 31/07/2019 14:58, Stefan Claas via Gnupg-users wrote:
> > an exportable 'blob' for the lsign
> > command, which can be then exchanged and would not be compatible with
> > key servers, in case someone would try to upload such a blob
> The keyservers (SKS at least) blacklist lsign packets already, so you're
> not gaining anything here.

Correct. To make it a bit more clear ...

I lsign Bob's key so third parties do not know (normally) that I did
this. But how could my friend Alice trust Bob's key she has without
my non-exportable lsign sig?

What I tried to propose is an additional parameter, like --add-me
which would write a 'blob' to a second file.db where I can export
then Bob's blob (non-compatible to SKS etc.) with my --lsign sig,
and give it to my friend Alice. Later If Alice knows Bob better
or personally knows him she can --lsign --add-me Bob's key ('blob')
too and give it to her friend Mary. Mary would have then a 'blob"
from Bob containing my and Alice's lsigs, which are non-compatible
to key servers, but would be IMHO equal to classic WoT sigs.

So to speak it is meaned for little WoTs (for those who needs them)
where participants don't have to fear that their sigs are published
in the future on whatever key servers we have, to not reveal their
social graphs.


box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

More information about the Gnupg-users mailing list