On 2012-04-05 at 10:58:23 +1000, Fifty Four wrote: > My understanding of key signing is that you only sign for what you believe > to be true. The Certificate Authority Startcom created a certificate for my > email address after Startcom verified my email address when I replied to > their email check. > > AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing > party to verify my email address and check the key.
Strictly speaking this is not true: you are supposed to meet in person before a sign exchange happen, but it does not have to be at a signing party. First of all, you could start cross-signing with OpenPGP-using local friends and co-workers: this could lead to a closed graph of contacts, but they are often high quality signatures, since people who have a RL relation are quite sure of the identities of each other (or even if there is a long-term fake identity involved they are sure theat there is no impersionation of third parts). Then there are sites like biglumber_ where you can look for people in your area (or areas you are going to visit) and arrange a meeting and signature exchange; this is a great way to connect your local graph to the wider web of trust. AFAIK aspiring Debian developers use a variant of this method to satisfy the requirement of a key signed by at least one other DD. .. _biglumber: http://biglumber.com/ Keysigning parties are a third choice: while they are useful to get many signatures in a little time, they tend to have a lower quality, because at a signing party there is often little time to check each other's identity. > I want OpenPGP to > succeed, but why can't I login into a site which sign's the key of my email > address after my email address has been verified. Why can't the same happen > for an IM address? Couldn't a video call could verify my Photo? strictly speaking, there is nothint in OpenPGP that prevents you from creating a key that signs other keys based on an online exchange, and as long as there is a signing policy that explicitely states this practice the rest of the Web of Trust wouldn't be badly affected by this. There are examples of this: the `Arch Linux master keys`_ are used to sign the keys of people who are allowed to upload packages to the Arch Linux repositories, and their requirements for keysigning don't include meeting in person. .. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/ A website could do something similar: create their own key, verify the email address of a new user, sign their key and then allow logins using keys they have signed. This of course would be useless for the OpenPGP web of trust, except as a way to spread the idea that it exists and can be used, but wouldn't hurt it either. -- Elena ``of Valhalla''
signature.asc
Description: Digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
