Alyssa Ross <h...@alyssa.is> writes: >> > For example, why isn't ask-cert-level a default? >> >> For an alternative view on ask-cert-level see also: >> >> https://debian-administration.org/users/dkg/weblog/98 > > Oh, interesting. Thank you for showing this to me. I had it in my head > that a "weak" signature would count as a marginal in the web of trust, > but I suppose I was wrong about that. > > In that case, I agree that ask-cert-level doesn't make sense as a > default.
Well, that's also an ecosystem issue, and if I'm not mistaken this thread (or was it another one?) was going quite far in the “let's fix the ecosystem and keep the standard” direction. “weak” *could* be used for verification. For instance, if I were to write an OpenPGP client, I'd likely make it so that: * Trust (which is 0-255 in the standard) is a slider with marks like “I trust not at all|a bit|a lot| completely” (with a proper sentence so that people understand, not like what I'm putting here) * Signature level (4 levels in the standard) is a similar slider * Both trust and signature level are mapped to a [0, 1] value, and multiplied to get the amount of confidence we have thanks to this particular signature that the key is correct * All such amounts of confidence get added, and the “3-marginals or 1-full” rule becomes a simple number that needs to be passed with this addition (also configured as a slider with some “normal user / … / paranoïd user” landmarks) (for trust signatures, in such a scheme they'd first be cut off to follow the OpenPGP certification, and then get multiplied by the length of the path, to account for decreasing trust along longer paths) This is compatible with RFC4880 (well, except it doesn't respect the “SHOULD” that full trust is 120 and marginal 60, because it actually uses the whole range). So ask-cert-level might make sense as a default. Just not as GnuPG's default, as GnuPG doesn't have such a behavior (and no client that I know of currently do). But someday, maybe. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
