[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Web of Trust (a revolution)

Anne Wilson wrote:
> Exactly.  In this case there were all the appropriate checks, but
> all you can see is a list of names, and I suppose you can check that
> those names are ones you have reason to trust, but that's all, and
> it's a bit vague.

Doesn't it go without saying that each person should only trust people
that they, well, trust? :)

> Absolutely.  It would help if the action of signing included some
> information about the act, such as whether it was carried out at a
> LUG, Conference, or some other organisation, so you could come to
> some decision about its reliability, but there is no such thing.

Actually, there is a way to make such notes (though that still won't
mean much to anyone that doesn't already trust you to make decent

You can include notations when you sign/certify a key.  You can also
include a certification policy URL.  These can be displayed in gpg
with the show-notations and show-policy-urls list options.

For example, on keys I've signed in the past few years, I added a
policy URL.  The results look a bit like this:

$ gpg --list-options 'show-policy-urls' --list-sigs silfreed
pub   1024D/ED00D312 2000-06-21
uid                  Douglas E. Warner <silfreed    >
sig 3        ED00D312 2005-11-02  Douglas E. Warner <silfreed    >
sig 2   P    BEAF0CE3 2006-08-07  Todd M. Zullinger <tmz    >
   Signature policy: http://www.pobox.com/~tmz/pgp/cert-policy.asc

I don't intend for that to make anyone trust my signatures unless they
know a bit about me, of course.  But I do try to be a good example and
let those who may trust me know just what I mean when they see a
signature from me on a key.

Both notations and cert policy URLS may contain some data that is
unique to a particular signature.  Strings such as %k, %K, and %f will
be expanded to the short key id, long key id, and fingerprint of the
key being signed, respectively.  That way, you could make the notation
or policy URL point to a page for each signature.  There you could
include such details as where you met, what information you exchanged,

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
Hard work never killed anybody, but why take a chance?
    -- Charlie McCarthy

Attachment: pgpABJuSitauS.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]