On 06/02/17 09:37, Richard Ulrich wrote: > So we sometimes resort to keybase.io. There the key is verified by > some social media. Sure, if the social media profile have existed > for some years and have some legitimate looking interactions, it is > a good indicator that its not a face account. But still, I would > trust a government verification more than social media.
keybase.io is a great idea. But its main use is to tie a PGP key to a social media account or accounts that act as a surrogate web of trust (by being referenced in multiple independent places by hopefully reputable third parties). But if your correspondent's social network does not overlap with yours, again I'm not sure much value is added. > For example I bought a car last week with Bitcoin. The person that > handled the payment for the seller was not present, but gave me his > keybase.io user name on the phone. He signed the email containing > the Bitcoin address for the payments with his GPG key. He didn't > have any signatures on his key. I'm not sure I would have the cojones to follow through with this deal, signatures or no. ;-) > In this scenario I'm grateful for every piece of validation to give > the key more credibility. In a scenario where you do not know the intermediary, the only meaningful validation is whether the vendor vouches for both the intermediary's person and key. The fact that the intermediary offers you *an* identity doesn't mean you are validating the correct identity. If for example he had given you a key signed by a Russian government agency, would you have had more confidence? Granted, you like (and obviously trust to some extent) the Estonian e-ID system. Others might not have so much faith. Sorry if I'm coming across as a little harsh, but you are proposing spending hard cash and I'd hate to see you do so and not get your money's worth. By all means, get an e-ID for the fun, for experiment, or to start up a company. But signing PGP keys with it is non-standard, and it's hard enough to convince most people to verify keys via standard methods. The problem with any PKI (which we still haven't cracked) is that the motivation to get your key signed is "How do I prove my identity to others", while the motivation of the person verifying the key is "To what extent should I trust this person". And unfortunately, the two questions are far from equivalent. A
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
