[messaging] Identity; was: Thoughts on keyservers
Ximin Luo
infinity0 at pwned.gg
Wed Aug 20 05:16:54 PDT 2014
On 20/08/14 12:06, Alaric Snell-Pym wrote:
> On 19/08/14 19:07, Bruce Leidl wrote:
>> On Tue, Aug 19, 2014 at 8:45 AM, Ximin Luo <infinity0 at pwned.gg> wrote:
>>
>>
>>> These are not specified in great detail, partly because there are so many ways of doing it, but it is an important part of the system. Often we don't even have an agreed precise *definition* of what it means for the key to be valid. We only have rough definitions, and we try to design auditing and monitoring around this; this is brittle and so we should decide on more precise definitions.
>>
>> I think there are two philosophies on what constitutes a valid key
>> certification: (1) You can verify real life identities, or (2) you can
>> verify email addresses.
>
> I'd suggest a third: (3) you can verify somebody by their past actions.
> Somebody who reads my occasional posts to this list and thinks me a
> wonderful, erudite, enlightened, person might want to contact me
> securely; I can build up such a reputation (and, after all, what more is
> there to an "identity" than a reputation that identity has?) by signing
> everything with the same key.
>
> Any binding to real name or email address is then merely a convenience,
> so one knows how to address me (although to be honest, "hey dickhead"
> will do just fine) and an address I'm likely to be reachable at; in
> either case, a mere statement (signed by me) of my email address and
> name is sufficient.
>
> I think that a very important test for "validity" is just "is this the
> same person as I've seen before", either with the same key or with a
> signed statement asserting that the new key is also theirs...
>
Bindings of the form (actions) -> (key) are harder to bootstrap - current systems would restrict you only to actions that can be signed, such as making comments, commits, files.
If we bind to real-world identities, we can use our knowledge of real actions performed by them, to build up our view of their reputation more quickly. I'm not sure how to bind these things directly to a key.
X
--
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140820/ebbbeef3/attachment.sig>
More information about the Messaging
mailing list