Another couple of thoughts--
I know I am free to do whatever I want, but I am looking for feedback and, perhaps, consensus from the community.
If I recall correctly, OpenPGP explicitly has six different certification levels (in the range 0-5), but it does not specify any semantic meaning to each level. They make recommendations, but those recommendations are not really binding.
To muddy the waters further, many OpenPGP implementations either fail to support certification-level distinctions, or make you jump through hoops in order to do it. Those hoops are often error-prone.
E.g., GnuPG. GnuPG's default certification level is a 3. If I see a signature on someone's key, I know absolutely nothing. Maybe it's a simple persona-level cert, in which case they should have certified it with a 0 but they just forgot to set the cert level. Maybe it's a "I have his DNA and fingerprints on file with me and I asked the FBI to check him out", in which case they should have certified it as a 5 but they just forgot to set the cert level. Etc., etc.
Because of these three factors--no semantic meaning associated with certification levels, some OpenPGP implementations not supporting the distinctions, and many implementations making it easy to forget that such distinctions exist--my default policy is to treat all signatures as unchecked persona-level IDs unless I know the signer personally and know they have a signature policy.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
