On Thu, Dec 09, 2010 at 05:52:42PM +0100, Werner Koch wrote: > On Wed, 8 Dec 2010 23:35, mailinglis...@hauke-laging.de said: > > > aren't any IETF notations yet. I suggest a standard for at least these > > pieces > > of information: > > > > - key owner has been personally known for x years > > - frequent contact with the key owner for x years > [many more] > > It is very unlikely that OpenPGP will ever adopt such standards. There > is an unspoken policy that we don't define policies but merely provide a > framework so others can implement something on top of it. If we would > start to adopt any such policies we would soon end up in the X.509 mud. > The signature classes 0x10 to 0x13 are for a reason not very strictly > defined. > > > Shalom-Salam, > > Werner
There is a way for you to put your own signing policy URL in the signature. If you want something more formal, you could join a particular web of trust with a well-defined policy, e.g. Gossamer Spider Web of Trust http://www.gswot.org/. (I don't know much about them.) Your specific items might provide a good start for a standard to document these policies. I think it is particularly important to keep these policies de-coupled from the OpenPGP standard though. I think a lot about what signature classes are appropriate for what situations and similar pedantry, but the current state of practice needs help at a more fundamental level. I just attended my first key-signing party. The participants likely have an above-average technical skill set. Of the 16 signatures I've received so far, all are at the default level. Five signers delivered my signed keys in encrypted form to the individual UIDs. The rest just uploaded them to a keyserver. I can't be critical of anyone who did that. It seems to be the most common practice. We are very lucky to have an open standard (OpenPGP) and a free/open-source implementation (GnuPG) to work with. The really hard problems are trying to get people to use them correctly. Phil _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
