[Cryptography] PGP Key Signing parties
ianG
iang at iang.org
Fri Oct 11 02:24:17 EDT 2013
On 11/10/13 02:24 AM, Glenn Willen wrote:
> John,
>
> On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
>>
>> ... Signing them would assert to
>> any stranger that "I know that this key belongs to this identity", which
>> would be false and would undermine the strength of the web of trust.
Where is this writ?
> I am going to be interested to hear what the rest of the list says about this, because this definitely contradicts what has been presented to me as 'standard practice' for PGP use -- verifying identity using government issued ID, and completely ignoring personal knowledge.
+1 I grew up in the "sign-on-first-meet" doctrine.
> Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge" (my preference and evidently yours), versus "government ID" (my perception of the community standard "best practice"), versus "no verification in particular" (my perception of the actual common practice in many cases)?
Good question.
> (In my ideal world, we'd have a machine readable way of indication what sort of verification was performed. Signing policies, not being machine readable or widely used, don't cover this well. There is space for key-value annotations in signature packets, which could help with this if we standardized on some.)
Right. A signature has to mean something. What is that something? The
CA world is mumble mumble over semantics, whereas the PGP world openly
offers incompatible conventions. Which is better or worse is beyond me.
iang
More information about the cryptography
mailing list