On 06/23/2009 12:34 PM, Manoj Srivastava wrote: > Frankly, recording the details of the verification performed is > a first step to improving the ability to assess the strength of the > link in the web of trust. A simple key sig is not enough, there could > be a formal process to add to the WoT, say by sending a > signed(encrypted?) email to wot@debian.org which has a formal > structure that specifies: > A) Name of signee > B) GPG id(s) of signee > C) Key fingerprint of signee > D) Method used to verify identity > E) Free form additional details > > Of course, this should only be done if the owner of the key has > demonstrated they own the email address by decrypting the key and > adding it to the keyservers. While i'm not sure this is a good idea in general, we already have all the tools to do this sort of thing without defining gobs of new syntax or setting up new auto-responders or debian-specific repositories of this kind of data. We just need to agree on the definitions of some terms. OpenPGP allows for embedded attribute/value "notation" subpackets in a certification. http://tools.ietf.org/html/rfc4880#section-5.2.3.16 So if we want to clarify just what went into the certification of a particular key/UID, we could define some attribute names. For example: --> verification-strategy@wot.debian.org might define a set of comma-separated values with well-defined meanings, and their presence indicates an avowal of compliance. those strings might include: checked-email: this signature was sent encrypted to the e-mail address from the UID (e.g. using caff), and was not otherwise shown to the public. (this notation should not be included on certification of a photo ID, since there is no associated e-mail address) checked-govt-id: I verified the non-email part of the UID against what appeared to be a valid, non-expired government-issued document was-at-keysigning-party: This verification was done as part of a massive keysigning party (would this be useful? i don't know) --> govt-issuer@wot.debian.org might be a distinguished name identifying the apparent issuer of any validated identification, such as /C=US/ST=NY/ for a NY State (USA) driver's license and /C=US/ for an American passport. If you checked two IDs, you could include this notation twice. Maybe this should somehow include the type of document as well? Given a consensus-developed set of these attributes and their meanings, and depending on your definition of what counts as "strong" practices, you could re-compute the WoT only including signatures which meet the guidelines you care about. This would be public, of course, since they would be embedded in the certification itself, and thereby published to the main keyservers. And of course, these would just be assertions, in that we are relying on the word of the certifier that they did in fact follow the associated policies for that particular notation. They would be signed by the certifier, however, as a statement of what practices they engaged in. I want to stress here that i'm not convinced that we need this level of detail about certification practices. but if we do, I'd prefer that we use extant mechanisms in the WoT that other people can also use, rather than develop a side-project debian-only repository of such information. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature