On 10 October 2013 22:31, John Gilmore <g...@toad.com> wrote:
>> Does PGP have any particular support for key signing parties built in or is
>> this just something that has grown up as a practice of use?
> It's just a practice.  I agree that building a small amount of automation
> for key signing parties would improve the web of trust.

Do key signing parties even happen much anymore? The last time I saw
one advertised was around PGP 2.6!

>> I am specifically thinking of ways that key signing parties might be made
>> scalable so that it was possible for hundreds of thousands of people...
> An important user experience point is that we should be teaching GPG
> users to only sign the keys of people who they personally know.
> Having a signature that says, "This person attended the RSA conference
> in October 2013" is not particularly useful.  (Such a signature could
> be generated by the conference organizers themselves, if they wanted
> to.)  Since the conference organizers -- and most other attendees --
> don't know what an attendee's real identity is, their signature on
> that identity is worthless anyway.

I can sign the public keys of people I personally know without a key
signing party. :-)

For many purposes I don't care about a person's official, legal
identity, but I do want to communicate with a particular persona.
For instance at DefCon or CCC I neither know or care whether someone
identifies themselves to me by their legal name or hacker handle, but
it is very useful to know & authenticate that they are in control of a
private PGP/GPG key in that name on a particular date.
The cryptography mailing list

Reply via email to