On 2/3/11 5:47 PM, Daniel Kahn Gillmor wrote: >> By certifying the full user ID you are also certifying the comment.
This is not how either OpenPGP or GnuPG work. Certifiers get to define what their certifications mean. Bang, period, end of sentence. There are *no* certification semantics in OpenPGP: there is only a rich and comprehensive set of syntactic primitives. It's true that, say, a persona-level signature is different syntactically than an I-have-done-extensive-checking signature: but OpenPGP quite wisely says *nothing* about the level of checking which goes into each signature level. If you see a certification and you assume you know what the certifier intends, then you are living in sin. Ask the certifier what for their policy: that's the only way to know. Some people will make certifications willy-nilly ("well, I've traded emails with the guy a few times..."). Some will make certifications only very carefully. Some will make totally unreasonable certifications because they don't know any better, and some will not make reasonable certifications because they have an abundance of paranoia. Unless you ask the certifier, *you do not, and cannot, know*. By certifying the full user ID, I am making a statement that is derived from my own local certification policy. That's all. Nothing else. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users