On 2013-10-10 (283), at 19:24:19, Glenn Willen <gwil...@nerdnet.org> wrote:

> John,
> On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
>> An important user experience point is that we should be teaching GPG
>> users to only sign the keys of people who they personally know.


>> would be false and would undermine the strength of the web of trust.
> I am going to be interested to hear what the rest of the list says about 
> this, because this definitely contradicts what has been presented to me as 
> 'standard practice' for PGP use -- verifying identity using government issued 
> ID, and completely ignoring personal knowledge.
> Do you have any insight into what proportion of PGP/GPG users mean their 
> signatures as "personal knowledge" (my preference and evidently yours), 
> versus "government ID" (my perception of the community standard "best 
> practice"), versus "no verification in particular" (my perception of the 
> actual common practice in many cases)?
> (In my ideal world, we'd have a machine readable way of indication what sort 
> of verification was performed. Signing policies, not being machine readable 
> or widely used, don't cover this well. There is space for key-value 
> annotations in signature packets, which could help with this if we 
> standardized on some.)
> Glenn Willen
> ______________________________________________

Surely to make it two factor it needs to be someone you know _and_ something 
they have? :-)

The cryptography mailing list

Reply via email to