Delete key from keyserver
hawke at hawkesnest.net
Mon Oct 24 23:21:32 CEST 2005
zvrba at globalnet.hr wrote:
> And the final 'objection' is more of a philosophical one: what is IDENTITY?
> If I know a person only by email, then that email *is* the person to me.
> And I know many people just by email and we are probably never going to
> meet IRL, except for some strange coincidence.
I find this point to be an important one. The focus of all the GPG
documentation and recommendations and so forth is far too much on "real
world" identity, i.e. physical documents, passports/drivers
But it is not intended, or at least not primarily used, in situations
where that matters. It gets the most use in Internet communications,
protecting things that are unlikely to get anyone sued or such where
tracing a person to their physical identity is useful.
For this sort of reason, I was disappointed that GnuPG 1.4.x
de-emphasized the "certification levels". It's helpful to be able to
state what you're willing to certify ... e.g. a level 3 sig indicates
confidence in the name, while a level 1 sig indicates confidence in the
email (or whatever someone may use)
The UID format is also problematic IMO. GPG (OpenPGP?) strongly "wants"
to have a Name and an email address for each UID. I think that this
puts emphasis in a bad place, leading people to be signing the fact that
e.g. "Alex Mauer belongs with hawke at hawkesnest.net", rather than "Alex
Mauer belongs with key 0x51192ff2" and "hawke at hawkesnest.net belongs
with key 0x51192ff2". The photo UID type fits much better, being a
statement that "this is a photo of the person who uses 0x51192ff2".
But it is comparatively easy to verify that the email goes with the key
(I'll [locally] trust robots such as keyserver.pgp.com to do this); it
is /much/ harder to verify that the name goes with either the key or the
email address ... or even the physical person with ID when you meet
them. (twins are not sufficiently uncommon) I'd even go so far as to
say that it's entirely impossible to be 100% sure. Fortunately the
situations where it matters are few and far between, particularly for
email over the internet.
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 382 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20051024/caba6b85/signature-0001.pgp
More information about the Gnupg-users