[messaging] Thoughts on keyservers

[Alaric Snell-Pym]

On 19/08/14 19:07, Bruce Leidl wrote:
> On Tue, Aug 19, 2014 at 8:45 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
> 
> 
>> These are not specified in great detail, partly because there are so many ways of doing it, but it is an important part of the system. Often we don't even have an agreed precise *definition* of what it means for the key to be valid. We only have rough definitions, and we try to design auditing and monitoring around this; this is brittle and so we should decide on more precise definitions.
> 
> I think there are two philosophies on what constitutes a valid key
> certification: (1) You can verify real life identities, or (2) you can
> verify email addresses.

I'd suggest a third: (3) you can verify somebody by their past actions.
Somebody who reads my occasional posts to this list and thinks me a
wonderful, erudite, enlightened, person might want to contact me
securely; I can build up such a reputation (and, after all, what more is
there to an "identity" than a reputation that identity has?) by signing
everything with the same key.

Any binding to real name or email address is then merely a convenience,
so one knows how to address me (although to be honest, "hey dickhead"
will do just fine) and an address I'm likely to be reachable at; in
either case, a mere statement (signed by me) of my email address and
name is sufficient.

I think that a very important test for "validity" is just "is this the
same person as I've seen before", either with the same key or with a
signed statement asserting that the new key is also theirs...

ABS

-- 
Alaric Snell-Pym
http://www.snell-pym.org.uk/alaric/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140820/d44776dd/attachment.sig>