[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnupg-users
Subject:    Re: --lsign --add-me or the invisible WoT
From:       Stefan Claas via Gnupg-users <gnupg-users () gnupg ! org>
Date:       2019-07-31 14:25:37
Message-ID: 20190731162537.00005c16.sac () 300baud ! de
[Download RAW message or body]

Andrew Gallagher wrote:

> On 31/07/2019 14:58, Stefan Claas via Gnupg-users wrote:
> > an exportable 'blob' for the lsign
> > command, which can be then exchanged and would not be compatible with
> > key servers, in case someone would try to upload such a blob
> 
> The keyservers (SKS at least) blacklist lsign packets already, so you're
> not gaining anything here.
> 

Correct. To make it a bit more clear ...

I lsign Bob's key so third parties do not know (normally) that I did
this. But how could my friend Alice trust Bob's key she has without
my non-exportable lsign sig?

What I tried to propose is an additional parameter, like --add-me
which would write a 'blob' to a second file.db where I can export
then Bob's blob (non-compatible to SKS etc.) with my --lsign sig,
and give it to my friend Alice. Later If Alice knows Bob better
or personally knows him she can --lsign --add-me Bob's key ('blob')
too and give it to her friend Mary. Mary would have then a 'blob"
from Bob containing my and Alice's lsigs, which are non-compatible
to key servers, but would be IMHO equal to classic WoT sigs.

So to speak it is meaned for little WoTs (for those who needs them)
where participants don't have to fear that their sigs are published
in the future on whatever key servers we have, to not reveal their
social graphs.

Regards
Stefan

-- 
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]