[kwlug-disc] Generating and using PGP keys

Cedric Puddy cedric at thinkers.org
Fri Feb 20 16:48:40 EST 2009


As far as I can tell, the grand Web Of Trust visions that some people  
had, especially when the technology was  just being developed have  
largely failed to pass.  The vast number of punters who have only very  
basic purposes and interests in the software quite reasonably say  
"Damn, that's a lot more investment than I'm prepared to put in." when  
confronted with the full scope of Key Signing and Trust Done Right.

I think Chris and Adam touch on a key point -- the degree to which it  
matters what that signature means depends very much on context and  
purpose.  The result it that most people only care to a very minimal  
degree about those things, and within certain verticals, it matters a  
great deal (Boeing, for example, makes extensive use of PGP, and cares  
very much indeed about key serial numbers, verification of facts, etc.)

I, on the other hand use signing as an easy way of ensuring that I can  
tell if my emails have been re-written, and I could, theoretically,  
prove that I said such-and-such a thing on a given day by proving that  
I had the key at that time, if such a circumstance ever developed --  
like the developers of PGP, and their focus on the web of trust, they  
were thinking more of what *might* happen, as opposed to what is  
*likely* to happen :)

-Cedric

On 20-Feb-09, at 3:33 PM, Chris Frey wrote:

> On Fri, Feb 20, 2009 at 09:35:01AM -0500, Adam Glauser wrote:
>> Chris Frey wrote:
>>> For me, I already know
>>> you, so I'd just want to make sure you haven't been
>>> using an alias all this time. :-)
>>
>> Actually, would it really matter?  For many purposes, it is enough to
>> know that the person you call Brent is the same person that is  
>> claiming
>> to be the person you know as Brent in emails to this list.
>>
>> The kinds of situations where this distinction might be important are
>> communities where both reputation and anonymity are paramount.  Two
>> examples I can think of are human rights organizing and filesharing
>> release groups (without implying moral similarity).
>
> It depends what statement you are making with your act of signing  
> the key.
> If your signature represents your best effort at something "as good as
> physical ID", then it makes sense to check that ID first.  I think  
> there
> are a lot of people that make that assumption about key signing.
>
> But I agree that it is not necessary depending on the situation.
>
> I wonder if it is possible to attach a note to key signatures  
> specifying
> what you mean by that signature.  I think there are already levels
> of signing, but it's been a while since I've signed a key.
>
> - Chris
>
>
> _______________________________________________
> kwlug-disc_kwlug.org mailing list
> kwlug-disc_kwlug.org at kwlug.org
> http://astoria.ccjclearline.com/mailman/listinfo/kwlug-disc_kwlug.org

|  CCj/ClearLine - Unix/NT Administration and TCP/IP Network Services
|  118 Louisa Street, Kitchener, Ontario, N2H 5M3, 519-489-0478
\________________________________________________________
    Cedric Puddy, IS Director            cedric at thinkers.org
      PGP Key Available at:              http://www.thinkers.org/cedric





More information about the kwlug-disc_kwlug.org mailing list