Do not conflate key+userID certification with "vouching"
expires2011 at ymail.com
Fri Apr 8 23:06:23 CEST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On Friday 8 April 2011 at 8:35:56 PM, in
<mid:4D9F639C.6040804 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:
> Or, more simply, An OpenPGP certification is "vouching
> for someone's identity"; it is not "vouching for
The meaning and implications of "vouching for" somebody are massively
dependent on context and circumstances. In the context of a discussion
about openPGP certifications, in the abstract without any specific use
for those certifications lurking in the shadows, I see no difference
between "vouching for someone's identity" and "vouching for someone."
> But given the easy confusion and the level of nuance
> required to tease the concepts apart, i think we're
> better off avoiding the term "vouch" entirely, and
> talking about "assertions of identity and key
> ownership" instead. Why use a term likely to sow more
> confusion in an already confused topic?
Whilst "vouch" is yet another term with the potential to confuse, is
it really any more confusing than "certification" or "assertion of
> OpenPGP certifications should be about identity and
As an aside, I've always found "control" to be more helpful than
"ownership" in my thought processes about openPGP keys. Who "controls"
the private key has an obvious meaning to me, who "owns" a key seems a
little more abstract.
MFPA mailto:expires2011 at ymail.com
Never interrupt me when I'm trying to interrupt you.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users