On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
> An important user experience point is that we should be teaching GPG
> users to only sign the keys of people who they personally know.
> Having a signature that says, "This person attended the RSA conference
> in October 2013" is not particularly useful.  (Such a signature could
> be generated by the conference organizers themselves, if they wanted
> to.)  Since the conference organizers -- and most other attendees --
> don't know what an attendee's real identity is, their signature on
> that identity is worthless anyway.
> So, if I participate in a key signing party with a dozen people, but I
> only personally know four of them, I will only sign the keys of those
> four.  I may have learned a public key for each of the dozen, but that
> is separate from me signing those keys.  Signing them would assert to
> any stranger that "I know that this key belongs to this identity", which
> would be false and would undermine the strength of the web of trust.

I am going to be interested to hear what the rest of the list says about this, 
because this definitely contradicts what has been presented to me as 'standard 
practice' for PGP use -- verifying identity using government issued ID, and 
completely ignoring personal knowledge.

Do you have any insight into what proportion of PGP/GPG users mean their 
signatures as "personal knowledge" (my preference and evidently yours), versus 
"government ID" (my perception of the community standard "best practice"), 
versus "no verification in particular" (my perception of the actual common 
practice in many cases)?

(In my ideal world, we'd have a machine readable way of indication what sort of 
verification was performed. Signing policies, not being machine readable or 
widely used, don't cover this well. There is space for key-value annotations in 
signature packets, which could help with this if we standardized on some.)

Glenn Willen
The cryptography mailing list

Reply via email to