Later, I came to the conclusion that this is not a valid argument.
It being October 13, the Annual Day of Reconciliation, I find myself defending dkg's position.
A "casual" certification level to me, may be different from a "casual" certification level in other person's mind. Which means that it does not reveal the people that I like, and does not reveal my social graph, at all. It just reveals how accurate I am assuring some key's information is.
No: it doesn't even reveal that, unless you first make publicly available your criteria for issuing each level of verification. If I see a persona certification, a casual certification, and a vetted certification, I have no idea what semantics to attach to any of them. For all I know your 'casual signature' requires a passport and DNA sample and your 'vetted signature' requires a polygraph examination. Or vice-versa. Or nothing at all.
The requirement that signers post their criteria for issuing different kinds of certifications -- a requirement neither the spec nor GnuPG advertise, but which is absolutely necessary for this feature to work as intended -- returns us to the realm of revealing a lot of information.
dkg says the revelations are too great. I disagree: each individual gets to decide whether the revelations are too great to be compatible with their risk model. But I certainly concur with him there are significant revelations.
I also want to add, that I love the way that GnuPG separated the certification level into 4 levels. "No opinion" level means silence. "Persona" means negative. "Casual" means neutral. "Extensive" means positive.
It does not. The meaning is left for individuals to precisely define. What does 'casual verification' mean? What IDs are acceptable? Why? Is the signer competent to recognize false IDs of those kinds? How do you *know* the signer is competent to adhere to that stated policy?
These aren't academic things. If you're doing real-world cryptographic engineering, these are bread-and-butter issues.
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
