On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <tho...@thomaszander.se> wrote: > Any and all PGP related howtos will tell you that you should not trust or sign > a formerly-untrusted PGP (or GPG for that matter) key without seeing that > person in real life, verifying their identity etc.
Such guidelines are a perfect example of why PGP WoT is useless and stupid geek wanking. A person's behavioural signature is what is relevant. We know how Satoshi coded and wrote. It was the online Satoshi with which we interacted. The online Satoshi's PGP signature would be fine... assuming he established a pattern of use. As another example, I know the code contributions and PGP key signed by the online entity known as "sipa." At a bitcoin conf I met a person with photo id labelled "Pieter Wuille" who claimed to be sipa, but that could have been an actor. Absent a laborious and boring signed challenge process, for all we know, "sipa" is a supercomputing cluster of 500 gnomes. The point is, the "online entity known as Satoshi" is the relevant fingerprint. That is easily established without any in-person meetings. -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
