-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 2013-09-16 at 17:11 -0400, Lawrence K. Chen, P.Eng. wrote: > But, when you're assured (50+) you can also have CAcert sign your gpg key(s). > > To get 50 points, you'll need to have been assured by at least two assurers.
I'm able to perform CAcert assurances and can issue up to 35 points, if presented with two forms of government-issued photo id. (Has to be government, I can't "let it slip", there's $1k of personal liability if I don't keep proper records). I'm current in San Francisco, fly back to Pittsburgh (PA) tomorrow. If anyone in SF wants a CAcert assurance tonight (Monday), drop an SMS to the phone-number in whois for the domain I'm sending this from. In the unlikely event of more than one person saying "yes", we'll figure something out. Anyone in the Pittsburgh region, drop me an email. For those using PGP: if you haven't already done so, take a look at caff(1) which is part of the "signing-party" suite of tools from Debian (is packaged for various other OSes). See also: http://pgp-tools.alioth.debian.org/ Those who worry about "what sort of statement am I making when I sign a PGP key": the short version is that if you do *not* use a "local signature", then you're signature is a *public* attestation as to there being an identity mapping between the key and whichever uids you signed. Using caff(1) makes it easy to do a decent job here: photo ID typically lets you become confident in the _name_ part of a UID, but not the email; caff will let you send each signature on each UID to the email address in the UID, PGP-encrypted to the recipient, so that only someone who can access the mailbox and wants that signature public can close the loop. GnuPG's `--cert-policy-url` option will let you attach a URL as part of a signature, providing more information about the signature. For instance, some of my signatures upon keys belonging to others carry this annotation: https://www.security.spodhuis.org/PGP/policy/party It doesn't scale for automated trust building, but lets folks figure out how seriously things were checked. It's *really* good to be able to verify the signatures on software when a security update comes out; Apache, Bind Named, Exim, etc. (Okay, it's cheating, I have a *very* good trust path for the last ;-) but we do make sure that releases are signed by someone in the Strong Set). - -Phil -----BEGIN PGP SIGNATURE----- iEYEAREDAAYFAlI3jPoACgkQQDBDFTkDY3/+gwCeNAwcJRVTSVeWRi9tF6dR70Kx b5cAnRtB/INGzPOGqAtQZck/zupAKXZK =hN+k -----END PGP SIGNATURE----- _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
