[messaging] twitter and github as key validators [was: Re: key validation rules for today]

Ruben Pollan meskio at sindominio.net
Tue Sep 9 13:00:12 PDT 2014

Quoting Tim Bray (2014-09-09 11:48:10)
> On Tue, Sep 9, 2014 at 9:35 AM, Daniel Kahn Gillmor <dkg at fifthhorseman.net>
> wrote:
>     I'm afraid i don't understand the argument here.  What is the use case
>     here?
>      0) something is published on twitter account "foo" and i want to know
>     to whom to attribute authorship.
>      1) i regularly communicate with "foo" on twitter, and i want to know
>     how to communicate with the author in other communications channels.
> 2) ​You want to communicate with me, Tim Bray, and go looking for a key for me.
>  You discover that there is a directory of keys, and you can retrieve a public
> key from it, and the corresponding private key has been used to sign a
> time-stamped tweet from @timbray and gist from github/timbray and an assertion
> at tbray.org, and because you know who I am on Twitter and github and what my
> personal domain is, and you can check the signatures, you are prepared to
> believe that that public key is appropriate for communication with me.

Yes, but I don't have any way to audit twitter or github. As dkg is mentioning 
in his email you are putting them in the role of a CA without their consent.

Ruben Pollan  | http://meskio.net/
 My contact info: http://meskio.net/crypto.txt
Nos vamos a Croatan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140909/47966bdf/attachment.sig>

More information about the Messaging mailing list