On 01/24/2014 12:48 PM, Steve Jones wrote: > On Fri, 24 Jan 2014 12:15:40 -0500 Daniel Kahn Gillmor > <d...@fifthhorseman.net> wrote: > >> http://web.monkeysphere.info/ > > This looks pretty cool, and does cover some of the things I've been > thinking about. I've been wondering about communications secured with > OpenPGP, it strikes me that it's not really necessary to even involve > SSL; and the nightmares that seems to involve. Does monkeysphere have > any aims to do complete connection security via OpenPGP?
what do you mean "complete connection security via OpenPGP"? OpenPGP is not a stream-based communications protocol, it's a specification of a message format and a certificate format. Inventing a new stream-based communications protocol from scratch and shoehorning it into OpenPGP doesn't sound like a great idea to me. Monkeysphere uses OpenPGP's certificate format to provide a way for people to verify the keys used in SSH and TLS (and elsewhere -- OTR would be a lovely addition, for example). It does not intend to supplant those communications techniques. > So I'm led to the idea that associating keys with areas on the web > where a person's work, writings, etc... are known is more important > than some sort of confirmation of a person's name, which is not even a > unique identifier. If, for example, you'd signed your commits to > monkeysphere I'd be able to verify your claim that you are a > contributor to it (not that I doubt, or have any reason to doubt that). how are other people going to verify these propose User IDs? If you make a data element a subkey or a notation in your self-signature, you are not asking other people to attempt to certify it. If you make the same data element a User ID or User Attribute, then you are effectively putting it out there for other people to attempt to verify and then certify. If you came to me and said "I am the person who blogs at https://www.example.com/stevejones"; , how am i supposed to verify that? when would you want me to certify it? --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
