On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote: > On 13.11.2018 17:54, Stefan Claas wrote: > > Hi all, > > > > i thought about creating a key certification policy, for my key, > > and like to know your opinions. > > > > <https://stefan_claas.keybase.pub/policy.txt> > > > > I have read in the past several policies, but i like to avoid > > id-card / online video/chat etc. because i am not able > > to distinguish between a real or a fake id, when doing so. > > > > Therefore i thought to use a postcard/letter method. > > > > Any critics are very welcome! > > Sounds interesting, would the post office check the ID of the person > claiming the letter?
Well, i assume that the good old postman, delivering mail to your house, is still around... :-) If i would send as some form of a registered letter than i would say yes. > It reminds me of someone's method that utilized small bank transfers > (I can't find the source though :( ). I also thought about PayPal etc., but decided against it after receiving an advice. > Why not issue generic certifications instead of sig2 and sig3? There > are some arguments against them: > https://debian-administration.org/users/dkg/weblog/98 Yes, i remember this blog post and thought about this as well. I like to point out that i remember RSA encryption, before PGP was available and there was no WoT, so only people who knew each other communicated that way. When i first learned about PGP in 94/95 i also thought why should people sign each other's key for a WoT and why do we need a global WoT and what is it good for. With my humble approach i like to be honest, in that form, that i did my best for certifying someones key which might be useful for someone else, entering the WoT, without letting third parties know that i know a person personally, or have a longtime online friendship etc. or that i belong to a certain group of people. With the postal approach the requester does not need to send his address in encrypted form in case my computer would be compromised. When someone request a signature i don't keep records on my computer later. I only keep the postcard as souvenir. With the sig0 approach i have the following problem: I could create a couple of fake keybase accounts, for example, give each other a sig0 and then what is this good for if i follow the advise from the blog and what trust should a third party gain from this many sig0 on such a key? Regards Stefan -- https://www.behance.net/futagoza https://keybase.io/stefan_claas
pgpQw5yQxsRDu.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
