[Cryptography] PGP Key Signing parties
Tony Naggs
tonynaggs at gmail.com
Fri Oct 11 07:03:44 EDT 2013
On 10 October 2013 22:31, John Gilmore <gnu at toad.com> wrote:
>> Does PGP have any particular support for key signing parties built in or is
>> this just something that has grown up as a practice of use?
>
> It's just a practice. I agree that building a small amount of automation
> for key signing parties would improve the web of trust.
Do key signing parties even happen much anymore? The last time I saw
one advertised was around PGP 2.6!
>> I am specifically thinking of ways that key signing parties might be made
>> scalable so that it was possible for hundreds of thousands of people...
>
> An important user experience point is that we should be teaching GPG
> users to only sign the keys of people who they personally know.
> Having a signature that says, "This person attended the RSA conference
> in October 2013" is not particularly useful. (Such a signature could
> be generated by the conference organizers themselves, if they wanted
> to.) Since the conference organizers -- and most other attendees --
> don't know what an attendee's real identity is, their signature on
> that identity is worthless anyway.
I can sign the public keys of people I personally know without a key
signing party. :-)
For many purposes I don't care about a person's official, legal
identity, but I do want to communicate with a particular persona.
For instance at DefCon or CCC I neither know or care whether someone
identifies themselves to me by their legal name or hacker handle, but
it is very useful to know & authenticate that they are in control of a
private PGP/GPG key in that name on a particular date.
More information about the cryptography
mailing list