-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Thursday 30 January 2014 at 10:43:39 PM, in <mid:20140130224339.5fcb0d27@steves-laptop>, Steve Jones wrote: > Well therein lies my problem with the PGP system. It > relies on the notion of there being this singular thing > called your identity. I'll take that to mean your problem with the web of trust. The pedantry about verifying government-issued identity is perhaps necessary if you have the need to be confident the government knows the other person as "John Smith" and that they are the right one of the many "John Smiths" in existence. If that is not needed, the name by which any government knows the person is irrelevant. > This doesn't really match how people work in the world, it certainly > doesn't match how things work online. That's right, each context in which a person presents themself is effectively a distinct identity or persona. If the contexts overlap, there is a certain amount of blending between the distinct personas. > There are plenty of people I've > known for years by a particular name and using a > particular email address, but by the standards of PGP I > haven't verified their identity so shouldn't sign their > key. Your certification on a key means exactly what you want it to mean. If your certification is published with a key, it is up to each user to interpret that certification as they see fit (or to ignore it entirely). > In online communications so many people are just > names, urls or email addresses, their identity is just > the things they've said and published. Is that so different from the person you don't actually know, but they are sometimes on the train when you are commuting, and just occasionally you chat? > If I was > accepting a cheque from one of those people I'd > probably look for an identity confirmation, If I didn't know their name or address, depending on the amount involved I may not accept the cheque. > if I just > wanted to talk to them in probable privacy then a few > other people saying effectively "Yeah I've used that > key for that person" is enough. Is what the signature means? Are they not simply saying, in effect, "Yeah I've used that key for that _email address_?" > To put it somewhat glibly, if a friend introduces > someone to you do you ask for an affidavit that your > friend has seen two forms of state issued photo id > before you'll talk to them? Depends on the conversation. (-; > Yes, entirely. As it stands however the standard threat > model seems that we have to assume that all attackers > are the NSA. There is no standard threat model. But the NSA and others are, at least anecdotally, monitoring all communications and retaining copies if they are encrypted. And any person could come under scrutiny as a result of being only a small number of communication hops from a "person of interest." - -- Best regards MFPA mailto:2014-667rhzu3dc-lists-gro...@riseup.net Lack of money is no obstacle. Lack of an idea is an obstacle. -----BEGIN PGP SIGNATURE----- iPQEAQEKAF4FAlLq+TFXFIAAAAAALgAgaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl bnBncC5maWZ0aGhvcnNlbWFuLm5ldEJBMjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0 N0VDQTAzAAoJEKipC46tDG5pArAD/i8aZhsGkl2sSAP9xGiRvpv8INKKdVQ+u5bg UcXmEXkFC3f1P3fmEaWOwilS71bOwmlicWSmi6SvLBFq+rW34BTamVG6W+YVN3gp xtHdOLFptzqVmHRrBardjTfA7UYsw5hZiOU6YVjuTKVRz05YFdvGiPyOYQP7MFDg NWI5jDv4 =beUa -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users