[Freedombox-discuss] FW: Why is the signing criteria higher for OpenPGP Certs than CA Certs?

Fifty Four fiftyfour at waldevin.com
Mon Apr 16 11:10:30 UTC 2012 


-----Original Message-----
From: Fifty Four [mailto:fiftyfour at waldevin.com] 
Sent: Monday, 16 April 2012 9:09 PM
To: 'Elena ``of Valhalla'''; 'freedombox-discuss at lists.alioth.debian.org'
Subject: RE: [Freedombox-discuss] Why is the signing criteria higher for
OpenPGP Certs than CA Certs?

Hi Elena ``of Valhalla''

> First of all, you could start cross-signing with OpenPGP-using local 
> friends and co-workers: this could lead to a closed graph of contacts, 
> but they are often high quality signatures, since people who have a RL 
> relation are quite sure of the identities of each other (or even if 
> there is a long-term fake identity involved they are sure theat there 
> is no impersionation of third parts).
I did think of that, but I was afraid we wouldn't sign the keys properly. I
have used Gnome Seahorse and its so confusing.

> 
> Then there are sites like biglumber_ where you can look for people in 
> your area (or areas you are going to visit) and arrange a meeting and 
> signature exchange; this is a great way to connect your local graph to 
> the wider web of trust.
> AFAIK aspiring Debian developers use a variant of this method to 
> satisfy the requirement of a key signed by at least one other DD.
> 
> .. _biglumber: http://biglumber.com/
Thanks for the link. Never found this in my Google search results.

> 
> Keysigning parties are a third choice: while they are useful to get 
> many signatures in a little time, they tend to have a lower quality, 
> because at a signing party there is often little time to check each 
> other's identity.
> 
> > I want OpenPGP to
> > succeed, but why can't I login into a site which sign's the key of 
> > my email address after my email address has been verified. Why can't 
> > the same happen for an IM address? Couldn't a video call could 
> > verify my
> Photo?
> 
> strictly speaking, there is nothint in OpenPGP that prevents you from 
> creating a key that signs other keys based on an online exchange, and 
> as long as there is a signing policy that explicitely states this 
> practice the rest of the Web of Trust wouldn't be badly affected by 
> this.
Thanks for confirming this is possible. Do you have a link in what you need
to do to link your keys to a signing policy?

> 
> There are examples of this: the `Arch Linux master keys`_ are used to 
> sign the keys of people who are allowed to upload packages to the Arch 
> Linux repositories, and their requirements for keysigning don't 
> include meeting in person.
> 
> .. _`Arch Linux master keys`: https://www.archlinux.org/master-keys/
> 
> A website could do something similar: create their own key, verify the 
> email address of a new user, sign their key and then allow logins 
> using keys they have signed.
That's what I was thinking of too?

> This of course would be useless for the OpenPGP web of trust, except 
> as a way to spread the idea that it exists and can be used, but 
> wouldn't hurt it either.
If the "new user" is known to you, could you "trust" their key to grow the
web of trust?
> 
> --
> Elena ``of Valhalla''

More information about the Freedombox-discuss mailing list