On 11/10/13 02:24 AM, Glenn Willen wrote:
John,
On Oct 10, 2013, at 2:31 PM, John Gilmore wrote:
... Signing them would assert to
any stranger that "I know that this key belongs to this identity", which
would be false and would undermine the strength of the web of trust.
Where is this writ?
I am going to be interested to hear what the rest of the list says about this,
because this definitely contradicts what has been presented to me as 'standard
practice' for PGP use -- verifying identity using government issued ID, and
completely ignoring personal knowledge.
+1 I grew up in the "sign-on-first-meet" doctrine.
Do you have any insight into what proportion of PGP/GPG users mean their signatures as "personal knowledge"
(my preference and evidently yours), versus "government ID" (my perception of the community standard
"best practice"), versus "no verification in particular" (my perception of the actual common
practice in many cases)?
Good question.
(In my ideal world, we'd have a machine readable way of indication what sort of
verification was performed. Signing policies, not being machine readable or
widely used, don't cover this well. There is space for key-value annotations in
signature packets, which could help with this if we standardized on some.)
Right. A signature has to mean something. What is that something? The
CA world is mumble mumble over semantics, whereas the PGP world openly
offers incompatible conventions. Which is better or worse is beyond me.
iang
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
