(Sorry, failed again to reply to the list, so you probably have this message twice again.)
On Tue, Nov 05, 2013 at 05:32:38PM -0800, Paul R. Ramer wrote: > >On Tuesday 5 November 2013 at 11:03:19 PM, in > ><mid:52797937.5090...@gmail.com>, Paul R. Ramer wrote: > > > >> But if you sign it with an exportable > >> signature, you are saying to others that you have > >> verified the key. > > > >In the absence of a published keysigning policy, isn't that an > >assumption? > > Signing is to be an attestation to the validity of the key. [...] Well, thus my reasoning (last message) allows me to prove that I can have the same level of confidence in Key 2 than in Key 1, even though I have not done again all the steps of verification. Thus, signing being an attestation of the validity of the key (I assume you meant of the confidence in the validity of the key), why should one sign Key 1 and not Key 2 ? For the same reason, signing (and exporting signatures) based on people I blindly trust is not an issue to me. (I know, I just released the troll.) Because if I blindly trust these persons, I believe with absolute certainty that the person is who (s)he says (s)he is. And so I can announce this certainty by signing the key. (I use the term blindly to mean even more than the technical "ultimately", as this one could be expressed using trust signatures. Just really blindly trust, as when you would let them to decide your fate, knowing they could be better off by sending you to hell.) Of course, if I sign the key only because it is validated through technical means, not by hand-checking for a signature from a blindly trusted owner, I would never sign that other key. The fact that others could get just the same effect by twisting their WoT parameters is not an issue to me. Firstly, because there are few trust signatures (according to best practices I read, that said trust signatures are mainly made for closed-system environments), so WoT rarely expands outwards of one signature by someone you know. But mostly because signing is an attestion of your belief someone is who (s)he is. Thus, if you believe someone is who the UID states (s)he is as much as if you met him/her in person and followed the whole verification process, I would not mind your exporting signatures of the key. And saying that it allows the blindly trusted person to force you to see a key as validated through three persons you marginally trust is meaning nothing to me. Indeed, these three persons are all asserting they believe with certainty that the key owner is who (s)he says (s)he is. That all used the same information source is just commonly done. Indeed, how do you check an identity ? * Name : Passport. Any government could make a passport as wanted, not even speaking about forgery. Thus everyone you know who signed some UID probably based their verification work on a single passport. * Comment : Depends of the comment. For "CEO company X", it is probably based on public archives. Them referring to a person by his/her name, any forged passport also means forged name. * Email : Probably a mere exchange of emails. Thus, anyone doing MitM could intercept the exchange and reply so as to make you validate the key, and even without MitM, the email provider could do as well. Every time, the certainty of the UID element is heavily dependent on other's work. Thus, why should we refuse to base our work on other's signatures ? (*assuming* you believe in the UID validity as much as you would have done using full verification) I just found a "counter-example" : in case the message (signed by Key 1) telling owner of Key 1 is owner of Key 2 is signed by a subkey, which might have been compromised. However, I assumed such a message would only be sent signed using the master key, as it must be totally relied upon. Thus, anyone able to forge such a message would be able to forge any message using the master key, and especially to add new encryption subkeys... Thus, such a scenario is not a threat IMHO. Cheers, Leo _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users