contributors' repository. I was going for clarity and to respond to some feedback
along the same lines as yours. See what you think; edit the file - please!
On Wednesday, October 15, 2003, at 12:58 AM, Sander Temme wrote:
I assume that people more knowledgeable than I will critique this, but this works for me...
I don't know if I'm more knowledgeable, but I have in the past volunteered
to set up a centrally organized keysigning party at Apachecon, and still
intend to do so if the planners will have me...
I'm not in that loop. I doubt you need permission. I say go for it!
Note that this centrally organized keysigning does not in any way monopolize
the signing of keys: people are welcome, and in fact encouraged, to sign
each others' keys on an individual basis. The event will merely aim to
streamline the identification process.
hear hear
...
When you encounter folks who might sign your key offer them the scrap of paper with your finger print on it and ask for one in return. Always ask to see some official (picture, goverment, etc) ID. You might be tempted to ask for official ID only when your less than absolutely certain that you know who your dealing with. By always asking you both set a good precedent and you don't have to be admit when you are or entirely aren't certain about somebody's identity. That can be embarrassing.
I do not see why we should trust the government to say who we are, but they
frequently claim they can. In fact, this document contradicts itself; see
below.
I rewrote all that section.
Later, but soon, you should: (a) find their key, (b) sign it and (c) upload the result back to the key server you down loaded it from in step (a). Your done, your cool. With luck they will get around to signing your key at some point too.
I actually advocate mailing the signed key back to its owner. This action
may just prod the owner into returning the favour. The owner can then choose
to upload their key with your (and perhaps other) new signatures on it.
Interesting. I like to go straight back to the key server so the network grows.
I think emailing back to the key owner at the same time would be a can't hurt.
As a nearly irrelevant aside - I'm ambivalent about reciprocity in a gift community.
Signing a key does not indicate that you "trust" the person. It only
indicates that you believe that key is associated with the correct
person. In fact it's valuable to the whole network of signatures if
you sign the keys of members of other communities. So signing the keys
of near strangers is a good thing. Just be confident of their identity.
Why would we have to be confident of their identity? Immediately above, you
just say that "you believe that key is associated with the correct person".
So we vouch for the connection between that particular carbon-based lifeform
and said key. Why would we care who the state or country that they come from
says they are?
hm. this stuff is such a pain to talk about because the words all have such complex real world meanings. In my latest rewrite I tried a different way of stating the rules of the road. I'm not comfortable signing keys of people who have labeled the key with a pseudonym; particularly one that might be mistaken for a real person. I might make exceptions. Exceptionally large rodent, maybe; imperialist weasel, doubtful.
S. (thinks he's not paranoid enough)
- ben (who thinks that the web of PGP signatures doesn't grow because people can't figure out the rules and are embaressed to admit it)
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
