[SGVLUG] Keysigning
John Kreznar
jek at ininx.com
Mon Dec 2 07:38:31 PST 2013
There are multiple issues with Web of Trust.
For some purposes, the public key IS the entity's identifier. Binding
it to other identifiers is a diversionary distraction. For example,
readers of this thread now know that the same mind that knows key
7334D770 wrote the message having Message-ID <2590547.7UFTF9U3Xl at myrada>
whether or not they know that it is also known as Diane Trout.
When a binding between public key and other ID IS important, a foolproof
and straightforward way to establish that binding is by exchanging key
fingerprints out of band. Signatures are not needed. To the claim that
this does not scale, observe that one's set of correspondents does not
scale either.
Trustworthiness is an attribute of the supposed steward of the secret
key, and would apply equally well to, say, face-to-face communication.
One thing one wants to be able to trust is that a correspondent won't
divulge the content of a message outside the intended set. Can this be
determined during a superficial encounter at a key signing party? Is
the key itself a suitable repository for such information?
Some day, I hope to find one of the good essays that have been written
From this perspective, or write one myself. But I don't have time now.
--
OpenPGP key: http://ininx.com
John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131202/af130243/attachment.pgp>
More information about the SGVLUG
mailing list