On 18/10/13 08:41, Werewolf wrote: > Now what if the Company/HR department had a Notary public, for their > documents, and this same Notary had a gpg key he/she treated same his/her > stamp equipment, and used the same standards before signing a gpgkey?
Then you could simply sign the notary's key and assign it full ownertrust. No need to sign keys you verified by checking the notary's signature. In fact, if I found out someone was uploading signatures to the keyserver for which they did no more verification than checking the signatures made by people they trust, I would immediately assign that person "I do NOT trust" in my trust database. They are poisoning my Web of Trust! If I trust the notary as well, I can also assign that person ownertrust and get valid keys through his or her signatures. But if other people are signing keys purely based on the notary's signature, they are meddling with my parameters "marginals needed", "completes needed" and "max cert depth". Suppose I have "marginals needed" set to 3. And 3 people I assigned marginal trust did no more than verify the signature by the notary before signing some key themselves. All the verification that has been done on the identity of the person holding that key is done by a single person, the notary. But I see 3 people who supposedly have verified the identity. Also, if the signature path to the notary is longer than the signature path to these 3 people, they have just artificially altered my "max cert depth" by shortcutting the route that would otherwise have gone through the notary, who actually did the verification. The moral: I think it is a really bad idea to sign keys because you trust already made signatures. That's what your trust database is for, use that. You should sign keys because you verified the identity *outside* the Web of Trust. All this only applies to exportable signatures. If you wish to make a local signature on some key to make it valid, go right ahead. You're not meddling with my Web of Trust that way. You might inadvertently meddle with your own, though! HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
