[Cryptography] ToFU +- SaFU
Nicholas Bohm
nbohm at ernest.net
Wed Apr 15 16:26:55 EDT 2015
On 14/04/2015 21:12, John Denker wrote:
[...]
> The semantics of signing a /key/ seems IMHO undefined and
> undefinable. In the real world we have ways of specifying
> what a signature means. A contract spells out in detail
> what its signatures mean. A signature on the front of a
> check means one thing, while a signature on the back means
> something else. A signature on a candidate's nominating
> petition means something else yet again.
>
> It makes sense to PGP-sign a contract (or an email) ...
> but signing a "key" is highly problematic, because there
> is so little control over the semantics.
[...]
> Also: We need to stop signing "keys" and instead sign
> things where the semantics is clearly specified.
[...]
> My PGP signature on this email indicates that I sent it,
> and that it represents a snapshot of my opinions.
The semantics of signing a PGP key are indeed obscure. It seems
regrettable that there is no way for the signer to spell what the
signature is intended to mean.
Backing up one step, what are the semantics of publishing a public key?
What is being promised about the relationship between the publisher and
either the signatures that it can verify or the scope of access to
messages which it is used to encrypt?
If a public key is published on a web page controlled by the publisher,
it can be used to spell this out. My own attempt appears with the key
(see the link below).
Nicholas Bohm
--
Contact and PGP key here <http://www.ernest.net/contact/index.htm>
More information about the cryptography
mailing list