On 23 Mar 2016, at 21:07, Doug Barton <[email protected]> wrote: > >> On 3/22/2016 11:14 AM, Andrew Gallagher wrote: >> the question most useful to a user is "given this particular >> signature, how much confidence should I invest in it?". > > No, the question *most* users that bother to use the signature at all ask > about it is, "Did it validate?"
You're contradicting something I didn't say. > The answer to *your* question, "How much confidence should I invest in it?" > is, "Very little." "Very little" is still better than "nothing", which is the only alternative on offer. > Except in certain specialized situations the only utility for a PGP signature > is, "Does it show that the thing signed arrived unchanged?" Unchanged compared to what? ;-) > You cannot reasonably place more confidence in it than that, regardless of > the number of known signatures the key has. > > 1. You don't know if the key was in full control of the person/organization > it purports to represent before, during, or after the signatures you are > trusting were applied. > > 2. You don't know if the person in control of the key at the time the thing > you care about was signed was being coerced, or not. > > And as Robert pointed out, for organizational keys there is no way that you > can associate control of the key with a known, trusted individual. All true. And all beside the point that I was making, which is that a validated signature may not be much, but it's a) all that we have, and b) better than nothing. > So trying to validate a key in the manner you described in your e-mail is at > best a fool's errand. If you enjoy the work, by all means help yourself. But > let's please stop pretending that signatures mean more than they really do. Spending a lot of bandwidth refuting straw man points that I didn't actually make is also a fools' errand. ;-) A _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
