[Enigmail] Setting trust levels for unknown keys
Faramir
faramir.cl at gmail.com
Wed Apr 29 16:35:48 PDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Daniel Kahn Gillmor escribió:
> On 04/29/2009 05:27 PM, Faramir wrote:
>> I just fully trust keys I have exchanged by hand in a
>> face-to-face meeting, all the other keys are marginally trusted. But
>> that's better than "don't know".
> This strikes me as an example of the confusion between "calculated
> validity" and "ownertrust" that many OpenPGP tools encourage.
Yes, I was talking about validity, not about trust in the signatures
issued from those keys.
> Just because I've met "Eve L. Hacker" in person and verified her
> identity does *not* mean that i trust her to properly identify other people.
No, but you can be reasonably secure about Eve L. Hacker being the
owner of her key...
> Certainly, don't set ownertrust at all for keys to which you have no
> calculated validity. But you may also want to consider setting
> ownertrust on a key whose owner you have never met face-to-face in
> certain circumstances. For example:
>
> * you have full calculated validity to their key already through other
> connections in the WoT, and
Yes, that's was exactly what a I wanted to archive by "trusting" the
signatures issued by CAcert, to be able to calculate validity of keys
belonging to people I can't meet face-to-face.
> * this person has published their keysigning policy, and has an
> untarnished public record of holding true to it, and
In the case of CAcert, they just sign keys of people who have had
their identities check at least by 2 other members of CAcert Community,
and only if the name and e-mail address in the UID matches the name
which was on the government issued Photo-ID presented at the time of
verifying the ID, and e-mails that have passed an email control challenge.
> * their keysigning policy seems reasonable to you.
In the case of CAcert, it does.
I have never suggested trusting the signatures issued by keys signed
by CAcert or by GSWoT.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJJ+ORUAAoJEMV4f6PvczxAa/wH/jIxYIzi2+Kq0JuhuuyZuVyL
BQruEnl6zCqra1rJKasw4x/WZK+E5VeZFUbtaM0cBRSejKZ14zeBCzYy5Vw+fDWH
yNx1HHd9W7Vq87c2ygvZBmpkmXPKqiLaDDv4His0B+dyCDLFbHmz9xVJZFpAxiCb
oXcjZSDIgO+n3/ZummMESL+v/O+QHtbWGrUvV8UYuKH8qD0GhlJJSkluFOA8FHAs
oe0jtvpK7nOsPS6ECm2YYlIJSwRTK6Z8qEKFO/JHHldSREgE4i3g3bUrO3zOXhzP
P0MmTzENjVs866K8o88ZsKc5JD4LuYYFQHIw4RmlpXE7o9JIc6zznaUHTVX+QGg=
=wuMw
-----END PGP SIGNATURE-----
More information about the Enigmail
mailing list