On 2013-10-10 (283), at 19:24:19, Glenn Willen <gwil...@nerdnet.org> wrote:
> John, > > On Oct 10, 2013, at 2:31 PM, John Gilmore wrote: >> >> An important user experience point is that we should be teaching GPG >> users to only sign the keys of people who they personally know. [....] >> would be false and would undermine the strength of the web of trust. > > I am going to be interested to hear what the rest of the list says about > this, because this definitely contradicts what has been presented to me as > 'standard practice' for PGP use -- verifying identity using government issued > ID, and completely ignoring personal knowledge. > > Do you have any insight into what proportion of PGP/GPG users mean their > signatures as "personal knowledge" (my preference and evidently yours), > versus "government ID" (my perception of the community standard "best > practice"), versus "no verification in particular" (my perception of the > actual common practice in many cases)? > > (In my ideal world, we'd have a machine readable way of indication what sort > of verification was performed. Signing policies, not being machine readable > or widely used, don't cover this well. There is space for key-value > annotations in signature packets, which could help with this if we > standardized on some.) > > Glenn Willen > ______________________________________________ Surely to make it two factor it needs to be someone you know _and_ something they have? :-) __outer _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography