On Wed, Oct 10, 2012 at 7:19 AM, Nick Kew <[email protected]> wrote:
>
> On 10 Oct 2012, at 12:20, Benson Margulies wrote:
>
>> Nick: On the one hand, how is trusting the Apache process better or
>> worse than trusting the State of Massachusetts?
>
> When I sign a key I'm basing it on more information than that.
Exactly -- certainty increases linearly the as the strength of any one factor
improves, but increases exponentially with the addition of multiple factors.
Weak:
amateur inspection of photo ID
Stronger, but depends on trust in third parties:
amateur inspection of photo ID
+ third party testimonials
Stronger still:
amateur inspection of photo ID
+ third party testimonials
+ permanent archived video (to discourage impersonation)
+ verification of Apache credentials
> Either it's a one-off, when I have additional knowledge of someone:
> e.g. a personal or working relationship. Or it's a keysigning party,
> when I'm one of many. In the latter case, if I'm signing keys at
> ApacheCon and someone I've never met identifies himself as
> Benson Margulies, I have not only the passport but a room full
> of Apache folks - some of whom surely know Benson Margulies
> well - to reassure me.
Protocols for key signing parties can be quite elaborate to ensure that each
participant provides multiple factors:
http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
