[Cryptography] PGP Key Signing parties

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Oct 11 03:05:58 EDT 2013


Glenn Willen <gwillen at nerdnet.org> writes:

>I am going to be interested to hear what the rest of the list says about
>this, because this definitely contradicts what has been presented to me as
>'standard practice' for PGP use -- verifying identity using government issued
>ID, and completely ignoring personal knowledge.

I've very rarely used that (would you recognise a fake European ID card, or NZ
passport, if you saw one?), I've always used either direct personal knowledge
or personal WoT, i.e. an introduction from someone I know, in person.  This is
exactly how organised crime does it (see "Codes of the Underworld: How
Criminals Communicate" by Diego Gambetta, damn good read), and it's extremely
effective, if you think your generic APT requires effort then look at what it
takes for law enforcement to get someone inside an organised crime ring.

Peter.


More information about the cryptography mailing list