Re: Keysigning without physically meeting ... thoughts?

To: debian-devel@lists.debian.org
Subject: Re: Keysigning without physically meeting ... thoughts?
From: "Wesley J. Landaker" <wjl@icecavern.net>
Date: Wed, 1 Jun 2005 12:01:37 -0600
Message-id: <[🔎] 200506011201.41928.wjl@icecavern.net>
In-reply-to: <[🔎] E1DdMBn-0001Oc-MZ@scyw00225>
References: <200505290714.53010.wjl@icecavern.net> <200505311413.59022.wjl@icecavern.net> <[🔎] E1DdMBn-0001Oc-MZ@scyw00225>

On Tuesday 31 May 2005 23:54, Marc Haber wrote:
> The entire procedure is quite US centric. I don't understand why you
> US guys are so fond of your notaries. Over here, it's a three digit
> bill for the notary to open the office door and to offer you a chair,
> so there might be cultures where one thinks twice or even three times
> before having something notarized.

Do you really mean the ENTIRE procedure, or do you just mean the notary? 
What would be a better way to replace that step for a global aware 
procedure? Or do you think it's necessary at all?

> Additionally, the web of trust is the web of trust because it is
> entirely self-contained, without putting any trust on government and
> state official. Your suggestion violates this principle by moving the
> verification state to the notary.

The web of trust's point is to be self-contained once it exists. It might 
need to bootstrap itself using other methods. For instance, it's already 
not self-contained by the above definition--because when you meet somebody, 
you don't just believe them when they say they are who they are, you make 
them show you some sort of ID, usually a government-issued one. 

Or do you think that when signing somebody's GPG key, one shouldn't ask for 
government issued ID, but use some other criteria? If so, I'm curious what 
a good protocol would be.

> Even if the notary were sufficiently advanced to offer PGP key signing
> with her official key this were not good enough for Debian, since the
> Debian web of trust explicitly relies on being self-contained. You'd
> need to have a DD notary, which at this point makes the signature
> valid because of the DD property, and being notary becomes irrelevant.

The notary was to make a connection between the person's "government" ID and 
their picture--the other parts were to connect the picture with the e-mail 
address and GPG key. If this were sufficient to determine that someone is 
who they say they are to about as good of an degree as meeting someone in 
person and checking their ID (even if both methods share weaknesses), I'd 
say that's a success. Wouldn't you?

-- 
Wesley J. Landaker <wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: pgpV8E91k4zq6.pgp
Description: PGP signature

Reply to:

References:
- Re: Keysigning without physically meeting ... thoughts?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: Keysigning without physically meeting ... thoughts?
Next by Date: Re: Keysigning without physically meeting ... thoughts?
Previous by thread: Re: Keysigning without physically meeting ... thoughts?
Next by thread: Re: Keysigning without physically meeting ... thoughts?
Index(es):
- Date
- Thread