On Tue, Sep 17, 2013 at 4:17 PM, Daniel Kahn Gillmor <[email protected]> wrote: > On 09/17/2013 09:56 AM, Philip Jägenstedt wrote: > >> Going with the GnuPG built-on model, it seems like I can get the "n >> people would need to be deceived" effect by (in a temporary keyring) >> assigning marginal trust to all keys in the world and >> --marginals-needed n, without requiring the paths to be independent. >> Does that sound right? > > No, it doesn't sound right because one key ≠ one person. It is possible > for one person to hold many keys. > > If I hold n keys, and i certify with all of them, and you grant all my > keys marginal ownertrust, then all it takes is 1 person to be deceived > (me) and you will be misled.
That's a good point. So, if you have a tool to find signature paths, it could also show a sorted list of the keys which you are trusting to some non-zero degree. If similar/identical names show up, you investigate. > I won't even go into here the difference between "n people would need to > be deceived" and "n people would need to be (convinced to be) > malicious", but it's worth considering what your actual threat model is. > > Trust is not a mechanical or universal process. Different people have > different perspectives, different information, different allies, and > different adversaries. Any system which claims that there is a > universal trust perspective would need some *very* convincing (and > highly surprising) arguments to seem plausible. That's fine, I'm just trying to figure out what others do to convince themselves that (e.g.) the GnuPG dist sig key is trustworthy-ish and if there are any tools to help with the boring bits. -- Philip Jägenstedt _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
