-----Original Message----- From: Fifty Four [mailto:[email protected]] Sent: Monday, 16 April 2012 9:09 PM To: 'Elena ``of Valhalla'''; '[email protected]' Subject: RE: [Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?
Hi Elena ``of Valhalla'' > First of all, you could start cross-signing with OpenPGP-using local > friends and co-workers: this could lead to a closed graph of contacts, > but they are often high quality signatures, since people who have a RL > relation are quite sure of the identities of each other (or even if > there is a long-term fake identity involved they are sure theat there > is no impersionation of third parts). I did think of that, but I was afraid we wouldn't sign the keys properly. I have used Gnome Seahorse and its so confusing. > > Then there are sites like biglumber_ where you can look for people in > your area (or areas you are going to visit) and arrange a meeting and > signature exchange; this is a great way to connect your local graph to > the wider web of trust. > AFAIK aspiring Debian developers use a variant of this method to > satisfy the requirement of a key signed by at least one other DD. > > .. _biglumber: http://biglumber.com/ Thanks for the link. Never found this in my Google search results. > > Keysigning parties are a third choice: while they are useful to get > many signatures in a little time, they tend to have a lower quality, > because at a signing party there is often little time to check each > other's identity. > > > I want OpenPGP to > > succeed, but why can't I login into a site which sign's the key of > > my email address after my email address has been verified. Why can't > > the same happen for an IM address? Couldn't a video call could > > verify my > Photo? > > strictly speaking, there is nothint in OpenPGP that prevents you from > creating a key that signs other keys based on an online exchange, and > as long as there is a signing policy that explicitely states this > practice the rest of the Web of Trust wouldn't be badly affected by > this. Thanks for confirming this is possible. Do you have a link in what you need to do to link your keys to a signing policy? > > There are examples of this: the `Arch Linux master keys`_ are used to > sign the keys of people who are allowed to upload packages to the Arch > Linux repositories, and their requirements for keysigning don't > include meeting in person. > > .. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/ > > A website could do something similar: create their own key, verify the > email address of a new user, sign their key and then allow logins > using keys they have signed. That's what I was thinking of too? > This of course would be useless for the OpenPGP web of trust, except > as a way to spread the idea that it exists and can be used, but > wouldn't hurt it either. If the "new user" is known to you, could you "trust" their key to grow the web of trust? > > -- > Elena ``of Valhalla'' _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
