Web of Trust (a revolution)

Todd Zullinger tmz at pobox.com
Mon Mar 30 23:10:01 UTC 2009 

Anne Wilson wrote:
> Exactly.  In this case there were all the appropriate checks, but
> all you can see is a list of names, and I suppose you can check that
> those names are ones you have reason to trust, but that's all, and
> it's a bit vague.

Doesn't it go without saying that each person should only trust people
that they, well, trust? :)

> Absolutely.  It would help if the action of signing included some
> information about the act, such as whether it was carried out at a
> LUG, Conference, or some other organisation, so you could come to
> some decision about its reliability, but there is no such thing.

Actually, there is a way to make such notes (though that still won't
mean much to anyone that doesn't already trust you to make decent
signatures).

You can include notations when you sign/certify a key.  You can also
include a certification policy URL.  These can be displayed in gpg
with the show-notations and show-policy-urls list options.

For example, on keys I've signed in the past few years, I added a
policy URL.  The results look a bit like this:

$ gpg --list-options 'show-policy-urls' --list-sigs silfreed
pub   1024D/ED00D312 2000-06-21
uid                  Douglas E. Warner <silfreed at ...>
sig 3        ED00D312 2005-11-02  Douglas E. Warner <silfreed at ...>
sig 2   P    BEAF0CE3 2006-08-07  Todd M. Zullinger <tmz at ...>
   Signature policy: http://www.pobox.com/~tmz/pgp/cert-policy.asc
[...]

I don't intend for that to make anyone trust my signatures unless they
know a bit about me, of course.  But I do try to be a good example and
let those who may trust me know just what I mean when they see a
signature from me on a key.

Both notations and cert policy URLS may contain some data that is
unique to a particular signature.  Strings such as %k, %K, and %f will
be expanded to the short key id, long key id, and fingerprint of the
key being signed, respectively.  That way, you could make the notation
or policy URL point to a page for each signature.  There you could
include such details as where you met, what information you exchanged,
etc.

-- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hard work never killed anybody, but why take a chance?
    -- Charlie McCarthy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090330/db5fd416/attachment-0001.sig>

More information about the fedora-list mailing list