Signing a Key

Jason Harris jharris at widomaker.com
Sat Feb 5 18:28:34 CET 2005


On Fri, Feb 04, 2005 at 08:46:05PM -0500, David Shaw wrote:
> On Fri, Feb 04, 2005 at 06:51:31PM -0500, Jason Harris wrote:

> 0x11 signatures are also interesting things.  When made by people (as
> opposed to robots) they are in effect someone making a public
> statement to say "Hey, look, I made a lousy signature".  I can't
> imagine why someone would choose to advertise far and wide how
> terrible their signing policy is, but GnuPG allows people to do stupid
> things if they really want to.

You (continue to) assume _all_ humans who issue 0x11 signatures do so
without employing encrypted challenges?

> > (Thus, GPG's --min-cert-level probably needs to be settable per signer -
> > after reviewing the signer's policies - to account for these differences.)
> 
> Your own statistics argue against this.  589 people in the entire
> OpenPGP world actually issued 0x11 signatures.  Just 293 people issued
> more than one.  Given the number of people using OpenPGP, 293 people
> is a rounding error.  That's not worth having a whole new trust model
> for, especially given the serious security ramifications of 0x11
> signatures, be vastly more confusing to new users, and be incompatible
> with PGP to boot.

Even ignoring 0x11 signatures, a 0x12 signature from a given issuer
implies less trust (due to less checking) than a 0x13 signature from
the same issuer.  What is the point in (any OpenPGP program) throwing
this extra data away (by ignoring it in trust calculations)?

-- 
Jason Harris           |  NIC:  JH329, PGP:  This _is_ PGP-signed, isn't it?
jharris at widomaker.com _|_ web:  http://keyserver.kjsl.com/~jharris/
          Got photons?   (TM), (C) 2004
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 309 bytes
Desc: not available
Url : /pipermail/attachments/20050205/446236a6/attachment.pgp


More information about the Gnupg-users mailing list