On 13-10-18 05:59 AM, Peter Lebbing wrote: > > However, here an interesting dichotomy surfaces: the scenario the OP painted > was > that the HR person or notary did not use OpenPGP or key signatures, but that > you > still rely on the identity verification done by the HR person.
That's correct. > This would thus > constitute identity verification outside the Web of Trust, Indeed! I completely agree with your prior opposition to people signing keys just because somebody they trust signed one and how trust relationships work to avoid the need to do that. > and I suppose I would > find that acceptable. I'm still not convinced, but that is why I brought it up for discussion. :-) > Although I'm a bit unclear on how this "virtual keysigning > party" would in practice be held: how does the notary state he trusts the > identity? Where does the fingerprint of the key come in to play? You are > asserting that a certain person holds a certain key, the key has to be part of > the verification. But the notary wasn't using OpenPGP. Right. They key signing party relies on a means of communication that can be considered authenticated. It could be e-mail (closed corporate e-mail system, not an "across the Internet e-mail) or it could be "credentials required" (again, closed, corproate) instant messaging for example. So that is, account compromise aside, you know that when Bob sends you an e-mail or an instant message, it did come from Bob because only Bob knows the credentials to be able to send messages in the messaging system from his account. Indeed, corporate messaging account compromise, or IT black-hats are a risk here. I guess it would be up to the individuals to assess the risk of such a thing just like one has to asses the risk that the ID that one is verifying at a traditional key-signing party is fraudulent or not. > The dichotomy is thus: if the notary does not sign keys, I would be okay with > people signing keys based on the notary's verification efforts. But if that > same > notary did everything he or she did before *and* did something extra, namely > signing keys, suddenly I'm not okay with people signing keys based on the > notary's verification efforts. That's odd. It is odd. But I understand it. > But the dichotomy doesn't change my position on this. Perhaps a clear answer > to > how the key fingerprint comes into play would take away the oddity, because > perhaps then suddenly there /is/ a verification effort by the people signing > the > key: that the key belongs to the owner. That the owner is who they say they > are, > is then left to the notary. Interesting perspectives, indeed. Cheers, b.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
