Robert L Cochran wrote:
> Thanks Todd. This really is useful to me.
Cool. Glad to hear it.
> I'm waiting now for biglumber.com to actually send me the promised
> login token based on my GPG key, so I can make myself the 29th
> Maryland person interested in a keysigning. I have a feeling their
> email server is in trouble. Or is just so painfully slow that it
> needs hours.
I seem to recall it taking a while when I added my own entry a few
years back.
> I'll probably check to see if the Baltimore, Maryland LUG really
> will have a keysigning party. The one advantage to driving all the
> way out there for such a meeting is I might meet some new folks and
> make a friend or two.
Definitely. My local LUG has done a keysigning or 2 over the years.
but even without those, it's been a good thing to go out for, to trade
info with other geeks and learn some new tricks.
> Since I also belong to the Thawte "Web of Trust" and have enough
> "Trust Points" accumulated to authenticate other people, I'm well
> aware based on numerous personal meetings with others (whom I asked
> to authenticate me, and later on, people who asked me to
> authenticate them) that these authentication type and/or keysigning
> meetings are basically meaningless in terms of really knowing the
> person who is signing your key or authenticating your application.
> It's like a puff of air.
As I see it, there are two related but distinct concepts in the PGP
web of trust model: validity and trust. Validity applies to keys.
Trust applies to people.
Keysignings are concerned with establishing validity. The things I am
attempting to verify at a keysigning are:
1) The identity of the person asking me to certify their key.
2) The key's fingerprint, id, size, and type
3) The email address(es) associated with the key
I agree that the first item is very difficult to accurately verify for
someone that you have just met. But that doesn't mean that no effort
at all should be made in this regard. I take advantage of the PGP
spec and issue differing levels of signatures for people I know well
versus people that I have just met. That way, you and others could
tell a bit about what level of certainty I have in the identity of the
people who's keys I have signed (assuming you know me enough to have
some trust in me in the first place :).
The trust part is left up to each individual in the PGP model. I am
free to trust no one but myself to validate the keys of other people.
Alternatively, I can trust everyone. You can also trust people
marginally or fully. One signature on a key from a fully trusted
person will make that key valid to gpg. By default, 3 signatures from
marginally trusted people will make the key valid. I think that's a
little low and use a higher value myself.
When deciding whether and how much to trust someone, I take into
account how well I know them and what their policies are regarding
signing other people's keys. If I know that someone just signs keys
via email without doing any other checking, I find their signatures to
be worthless and don't place any trust in them. If, OTOH, I know that
they take the same steps that I find reasonable, then I will likely
trust their signatures much more.
> With Thawte, payment of a sufficient fee and the signature of just
> one banker or lawyer can get you enough Trust Points to authenticate
> anyone. It doesn't matter if the lawyer or banker recently served a
> jail term.
I've never been a fan of top down hierarchies for trust like this.
You can't buy trust. And if you could, I certainly wouldn't look to
buy it from any banker or lawyer. ;-)
> From a keysigning perspective, really a face-to-face meeting has no
> more value from an authentication or know-the-other-party
> perspective than the act of walking past someone in a grocery store.
> It's not as if you are going to do business with the person whose
> key you just signed until the day you die.
Perhaps, but then why would you even bother worrying about signing
someones key or checking the signatures on other people's keys? I
treat a signing a key like notarizing a document for someone. I
intend to verify the key I am signing to the best of my ability, so
that it may be of some use to others.
> Email is often a better and more efficient use of time and resources.
I would strongly disagree that email is sufficient for the purposes of
signing keys. I don't see the point in signing a key unless you have
done some reasonable amount of checking on that key.
If that's really all the level of verification that you want out of
PGP, then you might look at the PGP Global Directory. It is a
somewhat automated way to sign and validate keys. You submit your key
to the global directory, they send you an email to verify that you
control that address. You click the link in the email to confirm and
they then sign your key with the global directory key. Other users
can mark the global directory key as trusted.
It's a weaker verification than many people want, but it has its uses.
https://keyserver.pgp.com
FWIW, I documented my policy for signing keys as part of the last LUG
keysigning I attended. I add that as a notation to any signatures I
make on other people's keys, so that someone interested in knowing
what I checked before making the signature can do so.
http://www.pobox.com/~tmz/pgp/cert-policy.asc
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When we remember we are all mad, the mysteries of life disappear and
life stands explained.
-- Mark Twain
Attachment:
pgpUCUz62bGbO.pgp
Description: PGP signature
