-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Saturday 3 May 2014 at 7:56:55 PM, in <mid:[email protected]>, William Hay wrote: > In most cases this would have the opposite answer to > the second question. It might make things simpler to > combine them in practice: > Is this an unaltered message/file from the purported > sender? Combining is good. Back to two simple questions. But I disagree with the premise that the third question would usually have had the opposite answer to the second: emails are frequently slightly altered in transit, breaking the signature, but still came from the purported sender. > You're right. If we're not issuing certs/letters of introduction then > there is no need. If we are then for compatibility with the existing > WoT I don't think we can avoid asking. I refer you to an article on Daniel Kahn Gillmor's blog. <https://www.debian-administration.org/users/dkg/weblog/98> > Presumably if implementing with the existing gnupg > infrastructure this would be a non-exportable generic > certification? Yes. Exactly what you would get by default from applying a non-exportable signature with GnuPG. > Once you start doing things publicly one would need to > pick a certification level in order to inter-operate > with the existing WoT. It isn't clear to me that there > is a good default. The existing default of an 0x10 "Generic certification" is a good default. GnuPG only prompts you to pick a certification level if you enable the "--ask-cert-level" option, which is disabled by default. As far as I know, the level doesn't affect WoT calculations. > My original phrasing was intended to fit in with the > letter of introduction metaphor. While in the long run > I may have to kill my darlings for now I'll stick to > trying to make my pet metaphor work. In that context I > think leading off the whole thing with "To whom it may > concern," might work better than a separate public > declaration for each uid. "To whom it may concern" is much more subtle than "I hereby publicly state," but a letter of introduction that was not specifically addressed could be considered a form of public declaration. I still think there is merit in making the user choose which UIDs to include in the letter of introduction: some of them may include email addresses, roles, or personas outwith the user's knowledge of the key owner. - -- Best regards MFPA mailto:[email protected] No matter what a man's past may have been, his future is spotless. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlNlYKVXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pXSYD/1b3wL/SkQ9qrrjOR+XdAz23eMe/6tz4FAUy NxXo2p/DMPVn+VW2pY7Vq9Ko2G4r+ydFtyst9364BOXBihspWuir4K5byaW8lPjC lcDfjvCfJIXs+8Zz6BKzw8z0LPZLdizCD9xC5CKdBWl77ipStb+cVlPBOF9sxrl1 jVERs1qb =wWHU -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
