Hello, from time to time when changes to GnuPG's behaviour (about validity and trust) are suggested, Werner responds kind of: "No, that should be done on top of GnuPG." This attitude makes sense but in the current situation I would ask: How? How shall that be done on top of GnuPG without causing a huge mess of adaption need in the higher layer applications?
Thus I would like to suggest that – similar to gpg-agent's option "pinentry-program" – an option is added which disables gpg's internal handling of --check-trustdb / --update-trustdb and has the configured external program be called for that. This would more or less be a modified version of --import-ownertrust. This way it would become easy to test and offer other validity calculation strategies. Simple cases: a) The WoT could be easily disabled for newbies by configuring a validity calculator which ignores it. b) Ignore level 0 certifications. Less simple case: a) The calculator could be configured to treat different keys as one (because the owner is the same); we recently discussed this need. I don't want to distract you from the general idea by offering complicated suggestions which will never even come close to concensus... ;-) A nice extension would be to define an output format (or database format for gpg to read the data from) so that a) this calculator can show for each certification if and how much it contributes to the validity of another key (or: UID); IIRC this is currently not possible b) levels for security and authenticity could be added. Today we have "valid" and "invalid". But the real world is not a dichotomy: Different kinds of information have different requirements for both security and authenticity (or the combination of both). We must map this spectrum to key selection somehow (or at least create the possibility for others to easily do so). Hauke -- Crypto für alle: http://www.openpgp-schulungen.de/fuer/unterstuetzer/ http://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
