On 08.10.2012 13:44, Franklin, Matthew B. wrote: >> -----Original Message----- >> From: Marvin Humphrey [mailto:mar...@rectangular.com] >> Sent: Friday, October 05, 2012 8:54 PM >> To: general@incubator.apache.org >> Subject: Re: key signing >> >> On Fri, Oct 5, 2012 at 8:55 AM, Jukka Zitting <jukka.zitt...@gmail.com> >> wrote: >>> It's good to recommend people to get their keys signed by someone in >>> the Apache web of trust and I think we could do more in that area, >> Maybe if we didn't insist on face-to-face meetings we'd get better adoption >> rates. >> >> Apache dev docs: >> >> http://www.apache.org/dev/openpgp.html#wot-link-in >> >> How To Link Into A Public Web Of Trust >> >> In short, expect that: >> >> * this will involve a face-to-face meeting >> >> GnuPG docs: >> >> http://www.gnupg.org/gph/en/manual.html#AEN84 >> >> A key's fingerprint is verified with the key's owner. This may be done in >> person or over the phone or through any other means as long as you can >> guarantee that you are communicating with the key's true owner. > +1. I think with technologies like Skype & Google Hangout, we can get the > same level of assurance of a person's identity as a physical key signing > party.
What guarantee do you have that a particular Skype ID is whoever you think it is? None at all, unless the person involved looked at your Skype contact list and said, yeah, that's me. Likewise for Google Hangout. As long as they're doing that, they might as well verify the signature fingerprint in your PGP keyring. In this respect e-mail is just as secure, so why don't we all just sign keys because someone claiming to be from from Chad sent us a mail asking us for a signature? Really. -- Brane --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
