[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?

Fifty Four fiftyfour at waldevin.com
Mon Apr 16 11:09:15 UTC 2012


Hi Elena ``of Valhalla''

> First of all, you could start cross-signing with OpenPGP-using local
> friends and co-workers: this could lead to a closed graph of contacts,
> but they are often high quality signatures, since people who have a RL
> relation are quite sure of the identities of each other (or even if
> there is a long-term fake identity involved they are sure theat there
> is no impersionation of third parts).
I did think of that, but I was afraid we wouldn't sign the keys properly. I
have used Gnome Seahorse and its so confusing.

> 
> Then there are sites like biglumber_ where you can look for people in
> your area (or areas you are going to visit) and arrange a meeting and
> signature exchange; this is a great way to connect your local graph to
> the wider web of trust.
> AFAIK aspiring Debian developers use a variant of this method to
> satisfy the requirement of a key signed by at least one other DD.
> 
> .. _biglumber: http://biglumber.com/
Thanks for the link. Never found this in my Google search results.

> 
> Keysigning parties are a third choice: while they are useful to get
> many signatures in a little time, they tend to have a lower quality,
> because at a signing party there is often little time to check each
> other's identity.
> 
> > I want OpenPGP to
> > succeed, but why can't I login into a site which sign's the key of my
> > email address after my email address has been verified. Why can't the
> > same happen for an IM address? Couldn't a video call could verify my
> Photo?
> 
> strictly speaking, there is nothint in OpenPGP that prevents you from
> creating a key that signs other keys based on an online exchange, and
> as long as there is a signing policy that explicitely states this
> practice the rest of the Web of Trust wouldn't be badly affected by
> this.
Thanks for confirming this is possible. Do you have a link in what you need
to do to link your keys to a signing policy?

> 
> There are examples of this: the `Arch Linux master keys`_ are used to
> sign the keys of people who are allowed to upload packages to the Arch
> Linux repositories, and their requirements for keysigning don't include
> meeting in person.
> 
> .. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/
> 
> A website could do something similar: create their own key, verify the
> email address of a new user, sign their key and then allow logins using
> keys they have signed.
That's what I was thinking of too?

> This of course would be useless for the OpenPGP web of trust, except as
> a way to spread the idea that it exists and can be used, but wouldn't
> hurt it either.
If the "new user" is known to you, could you "trust" their key to grow the
web of trust?
> 
> --
> Elena ``of Valhalla''




More information about the Freedombox-discuss mailing list