On 19/08/14 19:07, Bruce Leidl wrote: > On Tue, Aug 19, 2014 at 8:45 AM, Ximin Luo <[email protected]> wrote: > > >> These are not specified in great detail, partly because there are so many >> ways of doing it, but it is an important part of the system. Often we don't >> even have an agreed precise *definition* of what it means for the key to be >> valid. We only have rough definitions, and we try to design auditing and >> monitoring around this; this is brittle and so we should decide on more >> precise definitions. > > I think there are two philosophies on what constitutes a valid key > certification: (1) You can verify real life identities, or (2) you can > verify email addresses.
I'd suggest a third: (3) you can verify somebody by their past actions. Somebody who reads my occasional posts to this list and thinks me a wonderful, erudite, enlightened, person might want to contact me securely; I can build up such a reputation (and, after all, what more is there to an "identity" than a reputation that identity has?) by signing everything with the same key. Any binding to real name or email address is then merely a convenience, so one knows how to address me (although to be honest, "hey dickhead" will do just fine) and an address I'm likely to be reachable at; in either case, a mere statement (signed by me) of my email address and name is sufficient. I think that a very important test for "validity" is just "is this the same person as I've seen before", either with the same key or with a signed statement asserting that the new key is also theirs... ABS -- Alaric Snell-Pym http://www.snell-pym.org.uk/alaric/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
