Re: OpenPGP certifications are identity assertions [was: Re: upstream source code authenticity checking]

[Simon McVittie <smcv () debian org>]

On 02/05/13 17:42, Daniel Kahn Gillmor wrote:
> most OpenPGP signatures in the current web of trust are *not*
> trust signatures, and trust packets aren't emitted or transferred
> publicly (they're private indicators used for local keyring
> storage).

Some PGP publications try to avoid mentioning "trust" altogether: they
talk about "[user ID] validity" and "ownertrust".

"User ID validity" is when you sign something with semantics similar
to "I am reasonably confident that the key 4096R/4DE8FF2A63C7CC90
belongs to Simon McVittie whose address is smcv () debian org". That's
what happens in keysigning.

"Ownertrust" is when you configure gpg with things like "if Simon says
a user ID is valid, assume that it is" (full ownertrust), or "if Simon
and two others with partial ownertrust all agree that a user ID is
valid, assume that it is" (partial ownertrust).

Both of those are orthogonal to whether you can trust that I haven't
deliberately included malicious code in a software package signed by
my key, whether you can trust that I haven't accidentally included
dangerously insecure code in that package, or whether I even have the
authority to be saying "this is a release" on behalf of the project
from which it purports to be a release.

    S