[clug] request for comment: new keysigning protocol

Steve McInerney steve at stedee.id.au
Wed Feb 10 22:19:12 MST 2010

On Wed, 2010-02-10 at 23:04 +1100, Paul Wayper wrote:
> Hash: SHA1
> On 08/02/10 07:46, steve jenkin wrote:
> > How would you do this differently if done electronically - ie. mediated
> > by laptop, Smartphone or PDA (do they still exist?).
> In two words, you don't.
> As I said, the point of a keysigning is to make sure that the person with a
> given name controls the key with the same name.

This thread has reminded me of a truism in personnel vetting. A'la Top
Secret clearances and the like:
They're out of date as soon as they're issued.

No matter how clever and "correct" a key signing verification process
is, it has the same fatal flaw: People.

My 2c is that these processes are just as much security theatre as
having to take your shoes off at an airport check. "We" accept the
theatre because we feel like we've achieved something of value, and that
helps us sleep at night.

- Steve

More information about the linux mailing list