Re: [free-software-melb] GnuPG key management

Thanks for all the clarifications you've made, Ben. Its added a little clarity. About identification being hard, do many people embed photographs, or scans of their identity documents, within their pubkey, ie as discussed here? http://superuser.com/questions/336894/how-can-i-add-my-picture-to-my-p

Re: [free-software-melb] GnuPG key management

BTW - I just re-read the "Web of trust" part of "Little brother"(takes < 10 mins): still by key-signing, still a "party", other goals (establishing transitive trust, not identity). Adrian On Tue, Aug 13, 2013 at 5:03 PM, Adrian Colomitchi wrote: >

Re: [free-software-melb] GnuPG key management

Ah, I get it now. Key signing is one way of certifying identity. Identity *may* be a contributing factor in trust, but establishing a "Web of trust" is not the primary objective of the key signing parties. Thanks, Adrian On Tue, Aug 13, 2013 at 4:56 PM, Ben Finney < ben+freesoftw...@benfinne

Re: [free-software-melb] GnuPG key management

Adrian Colomitchi writes: > My question: why is there a need for any other ID that's different > from the public key? The entire purpose of a keysigning party is to gather *independent verification* that the key ID is correctly associated with that person. This is why we ask for identifiers tha

Re: [free-software-melb] GnuPG key management

Adrian Colomitchi writes: > Now, my question: what an email address has to do with the identity of the > owner? An email address is always globally unique. A common name (e.g. “Ben Finney”) is often not globally unique. Therefore, to identify an individual person, an email address is better tha

Re: [free-software-melb] GnuPG key management

You seem to suggest that an email address is as best an ID as there could be. My question: why is there a need for any other ID that's different from the public key? I.e.: the "sufficient certification" should actually be "We, the signers of this public key, certifies this public key belongs to a

Re: [free-software-melb] GnuPG key management

On 13 August 2013 15:38, Adrian Colomitchi wrote: > Now, my question: what an email address has to do with the identity of the > owner? > By the same measure, what the "full person name" or any other > "govt/authority emitted ID" have to do with the identity of the owner? > I have the same probl

Re: [free-software-melb] GnuPG key management

On Tue, Aug 13, 2013 at 10:24 AM, Brian May wrote: > On 12 August 2013 18:16, Adam Bolte wrote: > > > This is a really good point. I'm not sure which side of the fence is > > best, but I feel that we should quickly discuss this point on > > Thursday if time permits. > > > > Problem is that the na

Re: [free-software-melb] GnuPG key management

On Tue, Aug 13, 2013 at 11:01:02AM +1000, Brian May wrote: > > For that matter, would anyone here object to signing the following key > for me? If so, why? If not, why not? > > Brian Mays http://web.archive.org/web/20070406152603/http://blog.madduck.net/geek/2006.05.24-tr-id-at-keysigning Duri

Re: [free-software-melb] GnuPG key management

On 13 August 2013 10:39, Aníbal Monsalve Salazar wrote: > And not only that. If caff is used, the gpg signauture will be sent > encrypted and the owner of the email address has to have the secret key > to open the encrypted signature. > Good point. For that matter, would anyone here object to s

Re: [free-software-melb] GnuPG key management

On Tue, Aug 13, 2013 at 10:24:22AM +1000, Brian May wrote: > On 12 August 2013 18:16, Adam Bolte wrote: > >> This is a really good point. I'm not sure which side of the fence is >> best, but I feel that we should quickly discuss this point on >> Thursday if time permits. > > Problem is that the

Re: [free-software-melb] GnuPG key management

On 12 August 2013 18:16, Adam Bolte wrote: > This is a really good point. I'm not sure which side of the fence is > best, but I feel that we should quickly discuss this point on > Thursday if time permits. > Problem is that the name of the person doesn't uniquely identify the person. The email [

Re: [free-software-melb] GnuPG key management

On Mon, Aug 12, 2013 at 05:04:50PM +1000, Glenn McIntosh wrote: > On 12/08/13 15:49, Ben Finney wrote: > > Rather, the purpose of your signature is to say “I met this person, > > verified they are who they say they are, and this person tells me this > > is their email address and public key”. > >

Re: [free-software-melb] GnuPG key management

Glenn McIntosh writes: > On 12/08/13 15:49, Ben Finney wrote: > > Rather, the purpose of your signature is to say “I met this person, > > verified they are who they say they are, and this person tells me > > this is their email address and public key”. > > I don't think of it that way; when I sig

Re: [free-software-melb] GnuPG key management

On 12/08/13 15:49, Ben Finney wrote: > Rather, the purpose of your signature is to say “I met this person, > verified they are who they say they are, and this person tells me this > is their email address and public key”. I don't think of it that way; when I sign GPG keys, I am signing each uid s

Re: [free-software-melb] GnuPG key management

Brian May writes: > Otherwise, how can you be sure that the email address you just signed is > correct? You don't need to know that it's correct. The purpose of your signature is not to say “this is a correct email address”, since that can change at any point in the future. Rather, the purpose

Re: [free-software-melb] GnuPG key management

On 12/08/13 11:24, Brian May wrote: > Note you really have to send to key to the person, using the email address > on the key you signed, and then get them to publish the key. > > Otherwise, how can you be sure that the email address you just signed is > correct? Yes, indeed. -- sks-keyservers.n

Re: [free-software-melb] GnuPG key management

On 12 August 2013 11:13, Glenn McIntosh wrote: > I have come across one person who prefers to upload the signatures to > the public keyserver themselves, because they are particular about > sanitizing the signature set (such as rejecting ones that rely on SHA1 > instead of SHA512). > Note you re

Re: [free-software-melb] GnuPG key management

On 12/08/13 10:08, Ben Finney wrote: > So I think it's impolite to make use of a keysigning party, then decline > to put one's public key in the public keyserver network. What good > reasons are there to abstain? I have come across one person who prefers to upload the signatures to the public keys