User attributes and audio IDs (was: Trouble signing)

David Shaw dshaw@jabberwocky.com
Sat May 17 06:09:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, May 16, 2003 at 07:49:37PM -0500, Richard Laager wrote:
> David Shaw wrote:

> > Yes.  It doesn't lower security (it's just a different sort of ID),
> > but I can't think of any really good uses for it except the coolness
> > factor.  Then again, it could be argued that photo ID is just a cool
> > trick also.  Since you can't actually select a key via a photo ID, it
> > isn't really a good user ID.
> 
> There's no reason you couldn't select a key by a photo id in a GUI
> environment. Simply show a bunch of photos and let the user choose.

True, but no software exists (whether GnuPG or PGP) to do this today.
In both cases you need to select the key in question, and then view
the photo.  It's sort of a backwards way to select a key as normally
the user ID is used to get to the key.  I can see photos being used
more as a "select a key, then look at the photo to confirm it's the
right one" rather than a "encrypt to that photo".

It would be interesting to see a GUI that did what you suggest.  It
could be very helpful to people who were not particularly
crypto-savvy.

> Personally, I'd really like to see a keyserver interface that shows things
> like this. I think that would be a great application of photo IDs.
> 
> =========== 
> |         |  pub  1024D/5E1F1BCE 2000-12-01 Richard James Laager (...)
> | <...> 
> |         |       Key fingerprint = 03D4 AED7 0990 0162 EDF5  5183 6DF5
> | 5E1F 1BCE 
> |         |  uid                            Richard James Laager (...)
> | <...> 
> |  PHOTO  |  uid                            Richard James Laager (...)
> | <...>  
> |         |  uid                            Laager, Richard James <...>
> |         |  uid                            LAAG0007 <...>
> |         |
> ===========

I quite agree.  I think that would be a wonderful keyserver
enhancement.  Since the photo is actually a straight JPEG with some
OpenPGP header bytes that can be ignored, it should be fairly
straightforward for a keyserver to feed the JPEG data back to the
browser.

> BTW David, did you happen to have any thoughts on the handling of photo IDs
> with revoked self-signatures, etc. as I talked about in a message a few
> days ago? The same issues would likely apply to the other types of
> non-traditional uids.

I responded a few days ago.  Didn't you see it?
  http://lists.gnupg.org/pipermail/gnupg-users/2003-May/018130.html

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-cvs (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+xbYY4mZch0nhy8kRApGZAKDDEqz6b/p9q5CodR2VKTJJZoi5cwCgp4aq
i9Mtve1rxh1fO0czhxNFQik=
=GnoL
-----END PGP SIGNATURE-----