[147634] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [Cryptography] PGP Key Signing parties

daemon@ATHENA.MIT.EDU (Tony Naggs)
Fri Oct 11 13:40:50 2013

X-Original-To: cryptography@metzdowd.com
In-Reply-To: <201310102131.r9ALVWqQ015547@new.toad.com>
Date: Fri, 11 Oct 2013 12:03:44 +0100
From: Tony Naggs <tonynaggs@gmail.com>
To: John Gilmore <gnu@toad.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
	Phillip Hallam-Baker <hallam@gmail.com>
Reply-To: tony.naggs@gmail.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

On 10 October 2013 22:31, John Gilmore <gnu@toad.com> wrote:
>> Does PGP have any particular support for key signing parties built in or is
>> this just something that has grown up as a practice of use?
>
> It's just a practice.  I agree that building a small amount of automation
> for key signing parties would improve the web of trust.

Do key signing parties even happen much anymore? The last time I saw
one advertised was around PGP 2.6!


>> I am specifically thinking of ways that key signing parties might be made
>> scalable so that it was possible for hundreds of thousands of people...
>
> An important user experience point is that we should be teaching GPG
> users to only sign the keys of people who they personally know.
> Having a signature that says, "This person attended the RSA conference
> in October 2013" is not particularly useful.  (Such a signature could
> be generated by the conference organizers themselves, if they wanted
> to.)  Since the conference organizers -- and most other attendees --
> don't know what an attendee's real identity is, their signature on
> that identity is worthless anyway.

I can sign the public keys of people I personally know without a key
signing party. :-)

For many purposes I don't care about a person's official, legal
identity, but I do want to communicate with a particular persona.
For instance at DefCon or CCC I neither know or care whether someone
identifies themselves to me by their legal name or hacker handle, but
it is very useful to know & authenticate that they are in control of a
private PGP/GPG key in that name on a particular date.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
home help back first fref pref prev next nref lref last post