On 11/10/13 02:24 AM, Glenn Willen wrote:

On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:

...  Signing them would assert to
any stranger that "I know that this key belongs to this identity", which
would be false and would undermine the strength of the web of trust.

Where is this writ?

I am going to be interested to hear what the rest of the list says about this, 
because this definitely contradicts what has been presented to me as 'standard 
practice' for PGP use -- verifying identity using government issued ID, and 
completely ignoring personal knowledge.

+1  I grew up in the "sign-on-first-meet" doctrine.

Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge" 
(my preference and evidently yours), versus "government ID" (my perception of the community standard 
"best practice"), versus "no verification in particular" (my perception of the actual common 
practice in many cases)?

Good question.

(In my ideal world, we'd have a machine readable way of indication what sort of 
verification was performed. Signing policies, not being machine readable or 
widely used, don't cover this well. There is space for key-value annotations in 
signature packets, which could help with this if we standardized on some.)

Right. A signature has to mean something. What is that something? The CA world is mumble mumble over semantics, whereas the PGP world openly offers incompatible conventions. Which is better or worse is beyond me.


The cryptography mailing list

Reply via email to