Hello Stefan. Am Donnerstag, den 15.11.2018, 21:05 +0100 schrieb Stefan Claas: > On Thu, 15 Nov 2018 20:15:21 +0100, Dirk Gottschalk via Gnupg-users > wrote: > > > > When i first learned about PGP in 94/95 i also thought why should > > > people sign each other's key for a WoT and why do we need a > > > global WoT and what is it good for. > > > > This should be obvious. > > Please elborate a little bit more, because new user or old farts like > me maybe do not understand what's it's purpose, i.e to publicity > state to the whole world (thanks to key servers) that people use PGP > or GnuPG?
The intention of the WOT is to create trust chains. This implies a chain of signatures, quantity of signatures is not really important, IMHO. > > > With my humble approach i like to be honest, in that form, that i > > > did my best for certifying someones key which might be useful for > > > someone else, entering the WoT, without letting third parties > > > know that i know a person personally, or have a longtime online > > > friendship etc. or that i belong to a certain group of people. > > With differing signature levels you surely do let people know that > > kind of data. There are even small tools available, which produces > > a diagram of relations between people/keys from their signatures, > > including the signature level data. This can be done via > > recursively fetching the keys from a key server. > I disagree, with my humble approach imho third parties do not know > that people are my real friends, colleagues, or that i belong to a > certain group. The implication matters. For example: If you sign a three keys of, let's assume kidnappers, with level 3. I guess, police won't read and understand your policy first, you'll get a little trouble for sure. Okay, that is a bad example. But, the diagram will result in level 3 Relations, what can lead to assumptions somebody does not want or intent. > > > With the sig0 approach i have the following problem: I could > > > create a couple of fake keybase accounts, for example, give each > > > other a sig0 and then what is this good for if i follow the > > > advise from the blog and what trust should a third party gain > > > from this many sig0 on such a key? > > You can sign sig0 without havin any trouble of this kind. That's > > the > > reason why we have the trustdb since GnuPG 2.?. It depends on the > > internal set trust and gpg computes the calculated trust level for > > the > > key in question. > I am no expert, but i like to know from my example (because i don't > understand this) how could i trust this internal computation, when it > is only visible to me and not to third parties? It is based on your trust into the signers. There is a chain in trust dependencies for the trustdb. The levels full, marginal and so on lead to basical calculations in how reliable a key is, which is indirectly signed by trusted keys. I did not dig deeper into the GPG internals for this system, but I've already seen it works well, at least for me. > > I do use singanture levels as well, but I am thinking about this > > practice for a while now. Even giving a sig3 changes nothing, if I > > assigned just a marginal in the trustdb. The Chain is relevant, not > > the level you assigned. > If people read between the lines, so to speak, when reading my > policy they would hopefully help to strengthen the WoT in that > they could adopt it or improve it and sign each others key that > way to build a stronger chain. Or i am to naive and blue eyed? I see what you are trying to approach. > I mean, what would have people to loose or give up when using my > approach? Combining a classical verification method with modern > technology is for me a good thing and i believe for honest people > too. I don't say your approach is bad. > I bet if Werner, for example, would do the same, his letterbox would > be filled imeadetily... :-) > O.k the one thing that may be a bit difficult today is to actually > write a postcard and go to the post office, in surveilled Internet > age, where Facebook and WhatsApp etc. rules. :-) Indeed. ^^ Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen, Germany GPG: DDCB AF8E 0132 AA54 20AB B864 4081 0B18 1ED8 E838 Keybase.io: https://keybase.io/dgottschalk GitHub: https://github.com/Dirk1980ac
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users