Re: Estonian e-residency
Am Dienstag, den 07.02.2017, 11:33 + schrieb Andrew Gallagher: > On 06/02/17 09:37, Richard Ulrich wrote: > > > > So we sometimes resort to keybase.io. There the key is verified by > > some social media. Sure, if the social media profile have existed > > for some years and have some legitimate looking interactions, it is > > a good indicator that its not a face account. But still, I would > > trust a government verification more than social media. > keybase.io is a great idea. But its main use is to tie a PGP key to a > social media account or accounts that act as a surrogate web of trust > (by being referenced in multiple independent places by hopefully > reputable third parties). But if your correspondent's social network > does not overlap with yours, again I'm not sure much value is added. Every piece adds to the probability of the key being valid. > > For example I bought a car last week with Bitcoin. The person that > > handled the payment for the seller was not present, but gave me > > his > > keybase.io user name on the phone. He signed the email containing > > the Bitcoin address for the payments with his GPG key. He didn't > > have any signatures on his key. > I'm not sure I would have the cojones to follow through with this > deal, > signatures or no. ;-) > > > > > In this scenario I'm grateful for every piece of validation to give > > the key more credibility. > In a scenario where you do not know the intermediary, the only > meaningful validation is whether the vendor vouches for both the > intermediary's person and key. The fact that the intermediary > offers you *an* identity doesn't mean you are validating the correct > identity. He is the business partner of the son of the seller. The son was present and wrote the info down for me. > If for example he had given you a key signed by a Russian government > agency, would you have had more confidence? Granted, you like (and > obviously trust to some extent) the Estonian e-ID system. Others > might > not have so much faith. > > Sorry if I'm coming across as a little harsh, but you are proposing > spending hard cash and I'd hate to see you do so and not get your > money's worth. By all means, get an e-ID for the fun, for experiment, > or to start up a company. But signing PGP keys with it is non- > standard, > and it's hard enough to convince most people to verify > keys via standard methods. > > The problem with any PKI (which we still haven't cracked) is that the > motivation to get your key signed is "How do I prove my identity to > others", while the motivation of the person verifying the key is "To > what extent should I trust this person". And unfortunately, the two > questions are far from equivalent. Usually the prove of identity is done with government issued IDs. So the estonian e-residency smart card is not so much different in that regard. Of course it would be better if every country issued something like that to its citizens. And even better if that was compatible with GPG. But until that happens we might have to improvise sometimes. There is also SuisseID somehow similar, but the cost is so high that nobody is interested. Rgds Richard > > A > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
On 06/02/17 09:37, Richard Ulrich wrote: > So we sometimes resort to keybase.io. There the key is verified by > some social media. Sure, if the social media profile have existed > for some years and have some legitimate looking interactions, it is > a good indicator that its not a face account. But still, I would > trust a government verification more than social media. keybase.io is a great idea. But its main use is to tie a PGP key to a social media account or accounts that act as a surrogate web of trust (by being referenced in multiple independent places by hopefully reputable third parties). But if your correspondent's social network does not overlap with yours, again I'm not sure much value is added. > For example I bought a car last week with Bitcoin. The person that > handled the payment for the seller was not present, but gave me his > keybase.io user name on the phone. He signed the email containing > the Bitcoin address for the payments with his GPG key. He didn't > have any signatures on his key. I'm not sure I would have the cojones to follow through with this deal, signatures or no. ;-) > In this scenario I'm grateful for every piece of validation to give > the key more credibility. In a scenario where you do not know the intermediary, the only meaningful validation is whether the vendor vouches for both the intermediary's person and key. The fact that the intermediary offers you *an* identity doesn't mean you are validating the correct identity. If for example he had given you a key signed by a Russian government agency, would you have had more confidence? Granted, you like (and obviously trust to some extent) the Estonian e-ID system. Others might not have so much faith. Sorry if I'm coming across as a little harsh, but you are proposing spending hard cash and I'd hate to see you do so and not get your money's worth. By all means, get an e-ID for the fun, for experiment, or to start up a company. But signing PGP keys with it is non-standard, and it's hard enough to convince most people to verify keys via standard methods. The problem with any PKI (which we still haven't cracked) is that the motivation to get your key signed is "How do I prove my identity to others", while the motivation of the person verifying the key is "To what extent should I trust this person". And unfortunately, the two questions are far from equivalent. A signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
Hi Andrew, of course it is better to directly sign the key. And it is also better if there is a short path in the web of trust. But my use case is for when there is no path at all in the web of trust. Most people I know don't even have a GPG key. And of the ones that have a key, chances are high that they don't have any signatures on it. So we sometimes resort to keybase.io. There the key is verified by some social media. Sure, if the social media profile have existed for some years and have some legitimate looking interactions, it is a good indicator that its not a face account. But still, I would trust a government verification more than social media. For example I bought a car last week with Bitcoin. The person that handled the payment for the seller was not present, but gave me his keybase.io user name on the phone. He signed the email containing the Bitcoin address for the payments with his GPG key. He didn't have any signatures on his key. In this scenario I'm grateful for every piece of validation to give the key more credibility. Rgds Richard Am Donnerstag, den 02.02.2017, 13:42 + schrieb Andrew Gallagher: > On 02/02/17 12:02, Richard Ulrich wrote: > > > > I thought about applying for Estonian e-residency for the sole > > reason of adding credibility to my GPG key. My idea would be to > > sign > > my GPG key with the ID card. This could give people who are not in > > my web of trust a head start. > Which particular people? And a head start at doing what? > > AIUI the e-residency signature is not PGP-compatible, so people will > need to verify it using a separate tool. And once I have verified > your > e-residency signature, what does it mean to me? At best, it tells me > that you are one of possibly many people known to the Estonian > Government as "Richard Ulrich". Unless I have already dealt with you > elsewhere via your Estonian ID, how does this help me? > > What particular problem are you trying to solve? It seems to me that > unless you are going to use your E-identity for some other purpose, > tying your GPG key to it adds little value. You say your sole reason > for applying for e-residency is to add "credibility" to your existing > key. But how is asking the Estonian government to verify your > passport > more credible than producing your passport at a keysigning party? Or > better still, showing it to the actual person you want to talk to? > > Andrew. > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Estonian e-residency
On 02/02/17 12:02, Richard Ulrich wrote: > I thought about applying for Estonian e-residency for the sole > reason of adding credibility to my GPG key. My idea would be to sign > my GPG key with the ID card. This could give people who are not in > my web of trust a head start. Which particular people? And a head start at doing what? AIUI the e-residency signature is not PGP-compatible, so people will need to verify it using a separate tool. And once I have verified your e-residency signature, what does it mean to me? At best, it tells me that you are one of possibly many people known to the Estonian Government as "Richard Ulrich". Unless I have already dealt with you elsewhere via your Estonian ID, how does this help me? What particular problem are you trying to solve? It seems to me that unless you are going to use your E-identity for some other purpose, tying your GPG key to it adds little value. You say your sole reason for applying for e-residency is to add "credibility" to your existing key. But how is asking the Estonian government to verify your passport more credible than producing your passport at a keysigning party? Or better still, showing it to the actual person you want to talk to? Andrew. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Estonian e-residency
Hi, This was probably discussed here before, but I didn't find it. So, feel free to direct me to the old feeds. I thought about applying for Estonian e-residency for the sole reason of adding credibility to my GPG key. My idea would be to sign my GPG key with the ID card. This could give people who are not in my web of trust a head start. What Do you think of that? Rgds Richard signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
