[Cryptography] PGP Key Signing parties

Richard Outerbridge outer at sympatico.ca
Fri Oct 11 01:22:44 EDT 2013


On 2013-10-10 (283), at 19:24:19, Glenn Willen <gwillen at nerdnet.org> wrote:

> John,
> 
> On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
>> 
>> An important user experience point is that we should be teaching GPG
>> users to only sign the keys of people who they personally know.

[....]

>> would be false and would undermine the strength of the web of trust.
> 
> I am going to be interested to hear what the rest of the list says about this, because this definitely contradicts what has been presented to me as 'standard practice' for PGP use -- verifying identity using government issued ID, and completely ignoring personal knowledge.
> 
> Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge" (my preference and evidently yours), versus "government ID" (my perception of the community standard "best practice"), versus "no verification in particular" (my perception of the actual common practice in many cases)?
> 
> (In my ideal world, we'd have a machine readable way of indication what sort of verification was performed. Signing policies, not being machine readable or widely used, don't cover this well. There is space for key-value annotations in signature packets, which could help with this if we standardized on some.)
> 
> Glenn Willen
> ______________________________________________

Surely to make it two factor it needs to be someone you know _and_ something they have? :-)
__outer



More information about the cryptography mailing list