[clug] request for comment: new keysigning protocol

Alex Satrapa grail at goldweb.com.au
Wed Feb 10 22:43:08 MST 2010


On 11/02/2010, at 16:19 , Steve McInerney wrote:

> My 2c is that these processes are just as much security theatre as
> having to take your shoes off at an airport check.

Well, the process does insure that you have signed a key based on seeing someone carrying that key signature and an ID card that has the same name as the person who claims to own that key :)

Personally, I prefer sticking to signing only keys issued by my contacts, when they can verify out-of-band that they key I'm about to sign is the key that they have created for themselves.

Currently the process for stealing an official identity is simply as follows:
 - Determine birthdate and birthplace
 - Turn up to Registrar of Births, Deaths and Marriages
   - Ask for duplicate of certificate

… and that's it.

How do you know that those strangers you met at the keysigning party are really who they claim to be?

Now how much faith are complete strangers going to put in the identity of someone claiming to be "Richard Stallman" whose GPG key is signed by "Andrew Tridgewell"?

Neither key is signed by me, so I trust neither.

Alex



More information about the linux mailing list