-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thomas Kuehne wrote: > I've started to analyze the trust relations between the keys of various > keysigning parties. The data below is generalization of several keys > signing parties. > > the setting: > * more than 20 potential participants > * more than 15 attendees > * 1-3 keys that signed every single key of all announced participants, > even those that most likely never attended the party > > The interesting point is that those 1-3 keys haven't got a single > signature from any of the other participants. > <snip> > 4) The owners are bad signers and didn't take part in the ID > verification step of the signature process. > <snip> > > How should 4) be dealt with? > > As far as I am aware the is no negative signature or any other way to > mark those keys - except for local trust settings. >
Don't sign their keys? Tell them if you do get a chance to sign their keys, "I am not going to sign your key because you do not understand the implications of the web of trust" and make them revoke their signatures on all the keys they have signed without verifying them? If you are lucky, they will be level 1 signatures, so you can exclude them. If you are unlucky, they will be nonrevokable level 3 trust signatures 10 deep. Setting ownertrust to "none" in these cases is a good idea; at least then your WOT won't be contaminated by their signatures. However, I find it unlikely that they would even enter into your WOT to start with; if that is the case, you need not even worry about what their signatures are doing. Just set ownertrust to "none" and forget about it. Use the --always-trust option when encrypting (IIRC GPG will still "warn" you but will at least let you encrypt). There is of course possibilty 5) which appears to happen most often with PGP newbies (because it's TOO easy to use, and the instructions likely don't require any understanding): the possiblity that they should have made local signatures on the keys, but didn't, and PGP automagically "refreshed" their entire keyring, spreading these signatures into the wild. For an excellent example of this, check the PGP global directory key; there are many signatures which have been revoked due to accidental non-local signing, and many keys in the keyserver network have PGP GD sigs on them, again due to "automagic" refreshing (most likely through LDAP). I realise that this has turned into a bit of a screed, but it looks like the best policy is: Don't do stuff unless you know what you are doing! Don't use software that does stuff behind your back! Use Free software! - -- Alphax | /"\ Encrypted Email Preferred | \ / ASCII Ribbon Campaign OpenPGP key ID: 0xF874C613 | X Against HTML email & vCards http://tinyurl.com/cc9up | / \ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ2yew7MAAH8MeUlWAQgPwAf/SmSJeK+V8kdQOu77VWGwLBRHzGs2pb8R HY1GTlZiCKIqbUhAs3nz+9pTww5JlFV16N/8MQrF44VCrHDpytmPwsF+NcszfEeX 2/Iz2wQUjAqVepgmmxujqBIpcGMYPNrPk6yf+SByspOgVG6stFbBD3ZAMU41R36f GLn/Hq6+A91qV1tAD1C9giHhDxy1WzZr8rHHPf68Cah54/8ndFhJnm/5tFrsAGVR QG1og6ziaZzyexfAnCUhdxHaGkKry9UN58WGZGOKkth9Wdh/mTlduLezIR/Mff6r 4TQEWppp/LWg+mOnuik6OwsKuVHrxgZ4SUXUKtvtx3aa4oWrA4G4lw== =CZoN -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
