On 20/08/14 12:06, Alaric Snell-Pym wrote: > On 19/08/14 19:07, Bruce Leidl wrote: >> On Tue, Aug 19, 2014 at 8:45 AM, Ximin Luo <[email protected]> wrote: >> >> >>> These are not specified in great detail, partly because there are so many >>> ways of doing it, but it is an important part of the system. Often we don't >>> even have an agreed precise *definition* of what it means for the key to be >>> valid. We only have rough definitions, and we try to design auditing and >>> monitoring around this; this is brittle and so we should decide on more >>> precise definitions. >> >> I think there are two philosophies on what constitutes a valid key >> certification: (1) You can verify real life identities, or (2) you can >> verify email addresses. > > I'd suggest a third: (3) you can verify somebody by their past actions. > Somebody who reads my occasional posts to this list and thinks me a > wonderful, erudite, enlightened, person might want to contact me > securely; I can build up such a reputation (and, after all, what more is > there to an "identity" than a reputation that identity has?) by signing > everything with the same key. > > Any binding to real name or email address is then merely a convenience, > so one knows how to address me (although to be honest, "hey dickhead" > will do just fine) and an address I'm likely to be reachable at; in > either case, a mere statement (signed by me) of my email address and > name is sufficient. > > I think that a very important test for "validity" is just "is this the > same person as I've seen before", either with the same key or with a > signed statement asserting that the new key is also theirs... >
Bindings of the form (actions) -> (key) are harder to bootstrap - current systems would restrict you only to actions that can be signed, such as making comments, commits, files. If we bind to real-world identities, we can use our knowledge of real actions performed by them, to build up our view of their reputation more quickly. I'm not sure how to bind these things directly to a key. X -- GPG: 4096R/1318EFAC5FBBDBCE git://github.com/infinity0/pubkeys.git
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
