On 9/6/2013 5:10 PM, Ted Lemon wrote:
On Sep 6, 2013, at 6:42 PM, Joe Touch <touch(_at_)isi(_dot_)edu> wrote:
I've noted elsewhere that the current typical key-signing party
methods are very weak. You should sign only the keys of those who you
know well enough to claim you can attest to their identity.
This is a ridiculously high bar. The bar should be about at the
level of a facebook friend request.
Given I'm not on Facebook, the latter bar is infinitely high.
As per the PGP description:
---
There are several levels of confidence which can be included in such
signatures. Although many programs read and write this information, few
(if any) include this level of certification when calculating whether to
trust a key.
---
And that's the problem - as long as endorsements are equal, they're only
as good as your weakest one.
Joe