Weins, Thorsten wrote:
Hello,
the implementation of Trust Packets is implementation specific.
Does anybody know, how these packets are implemented in PGP 7.x or
higher?
BTW, is there a reason why they are implementation specific? If somebody
uses
different implementations (e.g. on different platforms) of PGP, he will
not be
able to use his "one and only" keyring.
Some random comments.
One of the most perceptive decisions that the early PGP
designers made was to not define trust. This was a good
decision because trust defies definition. Trust is too
much wrapped up in context of the user and her companion
users, and the programmer can't really narrow that down
usefully ahead of time.
Encouraging an implementation to more closely define trust,
and standardising this across implementations, would break
it. An example of this is the x.509 PKI in use in HTTPS -
they define trust as being a CA-signed cert that includes,
for example, some notion of what country you are in (? from?).
In terms of keyrings - Werner mentioned the local issues
with databases. Trust includes lots of information that
will/should never be exported. By not standardising the
format of the keyrings (and suggesting inter-program exports
to be done by means of ascii-armoured keys) PGP votes to
encourage experimenting with trust at the implementation
level. This allows an implementation to add some special
notes in there, or turn it into an addressbook, or build
up signing networks.
That's much more beneficial than some committee trying to
define trust.
iang