Am Dienstag, den 07.02.2017, 11:33 +0000 schrieb Andrew Gallagher: > On 06/02/17 09:37, Richard Ulrich wrote: > > > > So we sometimes resort to keybase.io. There the key is verified by > > some social media. Sure, if the social media profile have existed > > for some years and have some legitimate looking interactions, it is > > a good indicator that its not a face account. But still, I would > > trust a government verification more than social media. > keybase.io is a great idea. But its main use is to tie a PGP key to a > social media account or accounts that act as a surrogate web of trust > (by being referenced in multiple independent places by hopefully > reputable third parties). But if your correspondent's social network > does not overlap with yours, again I'm not sure much value is added. Every piece adds to the probability of the key being valid.
> > For example I bought a car last week with Bitcoin. The person that > > handled the payment for the seller was not present, but gave me > > his > > keybase.io user name on the phone. He signed the email containing > > the Bitcoin address for the payments with his GPG key. He didn't > > have any signatures on his key. > I'm not sure I would have the cojones to follow through with this > deal, > signatures or no. ;-) > > > > > In this scenario I'm grateful for every piece of validation to give > > the key more credibility. > In a scenario where you do not know the intermediary, the only > meaningful validation is whether the vendor vouches for both the > intermediary's person and key. The fact that the intermediary > offers you *an* identity doesn't mean you are validating the correct > identity. He is the business partner of the son of the seller. The son was present and wrote the info down for me. > If for example he had given you a key signed by a Russian government > agency, would you have had more confidence? Granted, you like (and > obviously trust to some extent) the Estonian e-ID system. Others > might > not have so much faith. > > Sorry if I'm coming across as a little harsh, but you are proposing > spending hard cash and I'd hate to see you do so and not get your > money's worth. By all means, get an e-ID for the fun, for experiment, > or to start up a company. But signing PGP keys with it is non- > standard, > and it's hard enough to convince most people to verify > keys via standard methods. > > The problem with any PKI (which we still haven't cracked) is that the > motivation to get your key signed is "How do I prove my identity to > others", while the motivation of the person verifying the key is "To > what extent should I trust this person". And unfortunately, the two > questions are far from equivalent. Usually the prove of identity is done with government issued IDs. So the estonian e-residency smart card is not so much different in that regard. Of course it would be better if every country issued something like that to its citizens. And even better if that was compatible with GPG. But until that happens we might have to improvise sometimes. There is also SuisseID somehow similar, but the cost is so high that nobody is interested. Rgds Richard > > A > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users