FW: [clug] ettiquette dilemma

Mon Jan 19 14:31:12 GMT 2004

On Mon, Jan 19, 2004 at 08:41:11PM +1100, Ambrose Andrews wrote:
> As for whose keys to sign, i'd have thought signing someone's key doesn't
> imply trust in their capacity to sign other keys, but merely in their
> identity itself (and some rudimentary capacity to protect their private
> key).  As for whether you trust that person's signing of other keys, i guess
> some doubt is in order.

It depends. If your just verifying identity, then sure. When you add the 
concept of the web-of-trust into it, I think it changes things a little. If you
know that I'm really paranoid about whose keys I sign, you're going to be more
likely to set the trust on my key higher than other people. You build up a 
web of trust that allows you to be reasonably sure that if someone's key is
signed by mine, they are not only who they say they are, but a "responsible"
PGP user. 

It just depends on how far you want to take it. There's the two ends of the
scale - people who, before signing keys,  personally verify the identity of the
person and how well they manage their own keys and are hugely paranoid. Then
there's someone who signs anyone's key without verifying anything and who posts
their private key on usenet etc. 

It's all about building the web of trust. I'm not going to trust anyone who
was at the key signing unless I personally know them. So, I've verified who
they are, but haven't increased my web of trust.

> In context though, I think it was more of a one-off careless mistake
> conditioned by the fact that my name was at the top of the list (and thus
> the beginning of the signing fiesta before a routine had set in) rather than
> a conceptual failure.

Yeah, the question is, would you want to be known as someone who signs careless
PGP users' keys? That's essentially what it comes down to here. I want to be
part of a web of trust. Trust is something you need to earn. In this context,
you earn it by being careful.

> So if you want to assign low confidence in keys signed by the individual
> concerned thats reasonable enough, but the decision of whether to actually
> sign his key would be more an issue of whether he is who is says he is, and
> whether he is capable of protecting his private key.

In this case though, it may be a little over the top to refuse to sign the key.
These sort of things are always a bit hazy :( Perhaps I shouldn't have jumped
the gun and said I wasn't going to sign it outright before knowing more about
what happened. Still, like I say, it's probably not a bad thing to start out
being paranoid and then maybe step down a little from there as opposed to the
other way round :)

Cheers,
Paul.