Am Sa 08.06.2013, 13:03:06 schrieb Daniel Kahn Gillmor:
> fwiw, some people might not be comfortable certifying a User ID
> ("signing a key") with such a comment,Crypto is NOT about comfort but about security. The point is: Does a certification make sense? Most certifications I see do not. They come without a certification level, without a policy URL, usually have no (especially not a reliably signed) key policy and are usually not made by offline main keys (or similar). In the end: more or less worthless. The WoT in its current form is occupational therapy for people who refuse to do crypto right (or rather: don't know what that means). > since it is not actually a part of the user's identity. Who cares? The question is: Does such a UID make the key better (with or without the WoT)? And if the answer is "It does", who would dare argue against that with the vague definition from the RfC? A comment may be a statement about the function of the key owner in an organization and thus is an important part of the identity. This is explicitly intended by signature law! Such a comment should be certified by the organization's certification key only. That it does not make sense that everyone signs a comment does not make the comment useless or bad in any way. > How is an OpenPGP certifier supposed to > validate the correctness of this comment? You have to read the comment statement and its certification right. It obviously doesn't mean "I have checked that this is true" as everybody immediately understands that it is not possible for the certifier to check this. Instead it means: "I testify to it that the key owner makes this statement about the certified key." And statements about keys are damn important. You cannot do secure crypto without them. You are right insofar as in a perfect world this information might better be placed elsewhere (standardized, machine readable signature notations). But in this world and this time not even policy URLs are shown by default. Thus for maybe the next five years it is definitely a good idea to put the most important information about a key into a UID. > https://www.debian-administration.org/users/dkg/weblog/97 Sorry but the example you use on that page is ridiculous. It doesn't prove anything about UID comments except for the trivial fact that it is possible to use them for ridiculous purposes. You really should not leave that online. If someone makes a statement about the security of his key and decides to change this statement for the same key (no matter in which direction) that would be self-sabotage. Stupid behaviour but not nearly an argument against statements about key security. And such statements are useless if they are not certified. It would make sense that the certifier demands that statement on paper with a manual signature. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-courses.org/
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
