Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

- re. anonymous keys. There is no need for them to be part of the web of trust. If you really want them there it is then a common requirements for signatories to require at least a verifiable e-mail address bound to the person they know and are authenticating. But then arguably it's not very anonymous any more.

- re. multiple identities. cross-Signatures in the web of trust are done on individual identities, not the master key! So if you sign an identity and the key owner then creates another, that new identity will not carry your signature.

- re. key parties: so far it wasn't an issue because it was implicitly assumed that people attending a key parting were savvy enough to understand how to sign. For PGP to be democratized the concept of key party needs to evolve. I personally combine them with a small lecture on PGP use, and say "you get to sign each other only if you have attended the lecture including its small practical".

- re. software keys. These are typically considered as an extension to the developers' keys. You as a user shouldn't sign those.



> it was implicitly assumed that people attending a key parting were savvy enough to understand how to sign

It's not only about being savvy though. You trust the person to not misuse his/her key unknowingly or knowingly. If you only use marginal trust on a key signing party then it can be mitigated somewhat though. What's the usual trust level used on such a party?

Edit:

Then the Putty master key is misused according to you: https://pgp.mit.edu/pks/lookup?op=vindex&search=0x4F5E6DF56A...




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: