Signs keys for people you don't LIKE?
Well, I was referring to people who send spam, or aren't reputable business folk, or do any of a list of nasty things that I consider non-trustworthy. I should have put "don't like" in quotes.
In your scenario what happens if you find out that Ted Tso or Jeff Schiller has signed a bogus key. Do you then revoke every key they ever issued on that account?
I might. It depends. If I think it was a fluke incident, I might not. But, if I thought that Ted and/or Jeff were repeatedly signing keys for disreputable folks, I might very well mark their keys as "untrusted" and not trust keys that were solely signed by them. Or (if we start talking about pie-in-the-sky kinds of things), I could imagine my e-mail filters saying, "Quarantine e-mail not signed by someone in this list of keys", and I might remove Ted and/or Jeff from that list of keys.
Please remember here that we are trying to solve the spam problem here.
That's not what *I* was doing here. I was simply trying to point out that the liability model was different for a web of trust than for CA trust. Whether using either method is more or less applicable to solving the spam problem is not something I'm willing to discuss in this forum.
--
Pete Resnick <mailto:presnick@qualcomm.com>
QUALCOMM Incorporated - Direct phone: (858)651-4478, Fax: (858)651-1102