[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?
Elena ``of Valhalla''
elena.valhalla at gmail.com
Thu Apr 5 07:23:26 UTC 2012
On 2012-04-05 at 10:58:23 +1000, Fifty Four wrote:
> My understanding of key signing is that you only sign for what you believe
> to be true. The Certificate Authority Startcom created a certificate for my
> email address after Startcom verified my email address when I replied to
> their email check.
>
> AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing
> party to verify my email address and check the key.
Strictly speaking this is not true: you are supposed to meet in person
before a sign exchange happen, but it does not have to be at a
signing party.
First of all, you could start cross-signing with OpenPGP-using
local friends and co-workers: this could lead to a closed graph
of contacts, but they are often high quality signatures, since
people who have a RL relation are quite sure of the identities
of each other (or even if there is a long-term fake identity
involved they are sure theat there is no impersionation of third
parts).
Then there are sites like biglumber_ where you can look for people
in your area (or areas you are going to visit) and arrange
a meeting and signature exchange; this is a great way to
connect your local graph to the wider web of trust.
AFAIK aspiring Debian developers use a variant of this method
to satisfy the requirement of a key signed by at least one other DD.
.. _biglumber: http://biglumber.com/
Keysigning parties are a third choice: while they are useful
to get many signatures in a little time, they tend to have a lower
quality, because at a signing party there is often little time
to check each other's identity.
> I want OpenPGP to
> succeed, but why can't I login into a site which sign's the key of my email
> address after my email address has been verified. Why can't the same happen
> for an IM address? Couldn't a video call could verify my Photo?
strictly speaking, there is nothint in OpenPGP that prevents you
from creating a key that signs other keys based on an online
exchange, and as long as there is a signing policy that explicitely
states this practice the rest of the Web of Trust wouldn't be
badly affected by this.
There are examples of this: the `Arch Linux master keys`_
are used to sign the keys of people who are allowed to
upload packages to the Arch Linux repositories,
and their requirements for keysigning don't include meeting in person.
.. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/
A website could do something similar: create their own key,
verify the email address of a new user, sign their key and
then allow logins using keys they have signed.
This of course would be useless for the OpenPGP web of trust,
except as a way to spread the idea that it exists and can be used,
but wouldn't hurt it either.
--
Elena ``of Valhalla''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120405/d568ff5c/attachment.pgp>
More information about the Freedombox-discuss
mailing list