On 10 October 2013 22:31, John Gilmore <g...@toad.com> wrote: >> Does PGP have any particular support for key signing parties built in or is >> this just something that has grown up as a practice of use? > > It's just a practice. I agree that building a small amount of automation > for key signing parties would improve the web of trust.
Do key signing parties even happen much anymore? The last time I saw one advertised was around PGP 2.6! >> I am specifically thinking of ways that key signing parties might be made >> scalable so that it was possible for hundreds of thousands of people... > > An important user experience point is that we should be teaching GPG > users to only sign the keys of people who they personally know. > Having a signature that says, "This person attended the RSA conference > in October 2013" is not particularly useful. (Such a signature could > be generated by the conference organizers themselves, if they wanted > to.) Since the conference organizers -- and most other attendees -- > don't know what an attendee's real identity is, their signature on > that identity is worthless anyway. I can sign the public keys of people I personally know without a key signing party. :-) For many purposes I don't care about a person's official, legal identity, but I do want to communicate with a particular persona. For instance at DefCon or CCC I neither know or care whether someone identifies themselves to me by their legal name or hacker handle, but it is very useful to know & authenticate that they are in control of a private PGP/GPG key in that name on a particular date. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography