Peter Lebbing's thoughtful consideration of the issues in this thread was spot-on, imho. Thanks, Peter!
On 04/29/2013 12:29 AM, Quinn Wood wrote: > My question in simpler terms could probably be summed up "How can one find > the most popular- most signed- key (matching some query such as name or > email of course) while successfully avoiding falsely inflated signature > counts (such as keys which only have more signatures than another due to > their age or due to actual malicious acts like mass signing.) One person's "falsely-inflated signature counts" is another person's "well-established participant in the keysigning culture", i'm afraid. One of the beauties of OpenPGP's certification model is that no one can require anyone to consider any particular certification (or set of certifications) to be acceptable or valid. And this is a good thing, because if you tell me that the "most popular" key is just the one signed by the most other keys, and the key you're looking for belongs to a user named "Alice <[email protected]>", then all i have to do is scan the keyservers for such a key, see that it has certifications from N keys on it, and then create a new key with User ID "Alice <[email protected]>", plus N+1 new keys, and have them all certify the new key+userid. when the cost of a new "sockpuppet" identity is nil, voting systems (like "most popular key") tend toward being gameable. what specifically are you trying to do in the bigger picture? maybe folks here can give you some suggestions if we can see what you're trying to accomplish in the abstract? hth, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
