On Fri, 24 Jan 2014 17:16:28 -0500 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote:
> what do you mean "complete connection security via OpenPGP"? OpenPGP > is not a stream-based communications protocol, it's a specification > of a message format and a certificate format. Inventing a new > stream-based communications protocol from scratch and shoehorning it > into OpenPGP doesn't sound like a great idea to me. OpenPGP is a packetised data format. There's nothing stopping it being used to send a stream of encrypted and signed data packets. The main thing you lose is the complicated and messy handshake at the start which seems to be the cause of so many implementation bugs. You do loose the possibility of perfect forward secrecy though. It was more an idle musing than anything else though. > how are other people going to verify these propose User IDs? > > If you make a data element a subkey or a notation in your > self-signature, you are not asking other people to attempt to certify > it. > > If you make the same data element a User ID or User Attribute, then > you are effectively putting it out there for other people to attempt > to verify and then certify. > > If you came to me and said "I am the person who blogs at > https://www.example.com/stevejones" , how am i supposed to verify > that? when would you want me to certify it? Well the simplest way would be if I signed my blog posts. It's easy enough to verify that my emails and posts are signed with the same key. Cryptographically easy that is, the existing tools are not so good for this kind of method of operation. Otherwise by usual web of trust means. If people who know me by other means are convinced that that blog is mine they can sign that UID, in the same manner as people could sign a photo attribute if they know what I look like. Finally there's the possibility of explicit verification, if someone sends me a challenge and I publish that challenge's signature on my blog then that verifies that I am in control of that private key and can publish to that blog. Which reminds me that I'd really like an email client that automatically signs keys at level 1 (persona) of anyone who replies with a signed email that quotes a significant portion of the text I sent, as this effectively counts as a challenge response protocol in my book. -- Steve Jones <st...@secretvolcanobase.org> Key fingerprint: 3550 BFC8 D7BA 4286 0FBC 4272 2AC8 A680 7167 C896
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users