[Freedombox-discuss] Why is the signing criteria higher for OpenPGP Certs than CA Certs?

Elena ``of Valhalla'' elena.valhalla at gmail.com
Thu Apr 5 07:23:26 UTC 2012

On 2012-04-05 at 10:58:23 +1000, Fifty Four wrote:
> My understanding of key signing is that you only sign for what you believe
> to be true. The Certificate Authority Startcom created a certificate for my
> email address after Startcom verified my email address when I replied to
> their email check. 
> AFAIK, to get a signed OpenPGP Certs I would need to attend a key signing
> party to verify my email address and check the key.  

Strictly speaking this is not true: you are supposed to meet in person 
before a sign exchange happen, but it does not have to be at a 
signing party. 

First of all, you could start cross-signing with OpenPGP-using 
local friends and co-workers: this could lead to a closed graph 
of contacts, but they are often high quality signatures, since 
people who have a RL relation are quite sure of the identities 
of each other (or even if there is a long-term fake identity 
involved they are sure theat there is no impersionation of third

Then there are sites like biglumber_ where you can look for people 
in your area (or areas you are going to visit) and arrange 
a meeting and signature exchange; this is a great way to 
connect your local graph to the wider web of trust. 
AFAIK aspiring Debian developers use a variant of this method 
to satisfy the requirement of a key signed by at least one other DD.

.. _biglumber: http://biglumber.com/

Keysigning parties are a third choice: while they are useful 
to get many signatures in a little time, they tend to have a lower 
quality, because at a signing party there is often little time 
to check each other's identity.

> I want OpenPGP to
> succeed, but why can't I login into a site which sign's the key of my email
> address after my email address has been verified. Why can't the same happen
> for an IM address? Couldn't a video call could verify my Photo? 

strictly speaking, there is nothint in OpenPGP that prevents you 
from creating a key that signs other keys based on an online 
exchange, and as long as there is a signing policy that explicitely 
states this practice the rest of the Web of Trust wouldn't be 
badly affected by this.

There are examples of this: the `Arch Linux master keys`_ 
are used to sign the keys of people who are allowed to 
upload packages to the Arch Linux repositories, 
and their requirements for keysigning don't include meeting in person. 

.. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/

A website could do something similar: create their own key, 
verify the email address of a new user, sign their key and 
then allow logins using keys they have signed.
This of course would be useless for the OpenPGP web of trust, 
except as a way to spread the idea that it exists and can be used, 
but wouldn't hurt it either.

Elena ``of Valhalla''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20120405/d568ff5c/attachment.pgp>

More information about the Freedombox-discuss mailing list