On 6/6/03 at 9:48 AM -0700, Phillip Hallam-Baker wrote:
Signs keys for people you don't LIKE?
Well, I was referring to people who send spam, or aren't reputable
business folk, or do any of a list of nasty things that I consider
non-trustworthy. I should have put "don't like" in quotes.
In your scenario what happens if you find out that Ted Tso or Jeff
Schiller has signed a bogus key. Do you then revoke every key they
ever issued on that account?
I might. It depends. If I think it was a fluke incident, I might not.
But, if I thought that Ted and/or Jeff were repeatedly signing keys
for disreputable folks, I might very well mark their keys as
"untrusted" and not trust keys that were solely signed by them. Or
(if we start talking about pie-in-the-sky kinds of things), I could
imagine my e-mail filters saying, "Quarantine e-mail not signed by
someone in this list of keys", and I might remove Ted and/or Jeff
from that list of keys.
Please remember here that we are trying to solve the spam problem here.
That's not what *I* was doing here. I was simply trying to point out
that the liability model was different for a web of trust than for CA
trust. Whether using either method is more or less applicable to
solving the spam problem is not something I'm willing to discuss in
this forum.
--
Pete Resnick <mailto:presnick(_at_)qualcomm(_dot_)com>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102