Do not conflate key+userID certification with "vouching"

MFPA expires2011 at ymail.com
Fri Apr 8 23:06:23 CEST 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Friday 8 April 2011 at 8:35:56 PM, in
<mid:4D9F639C.6040804 at fifthhorseman.net>, Daniel Kahn Gillmor wrote:


> Or, more simply, An OpenPGP certification is "vouching
> for someone's identity"; it is not "vouching for
> someone".

The meaning and implications of "vouching for" somebody are massively
dependent on context and circumstances. In the context of a discussion
about openPGP certifications, in the abstract without any specific use
for those certifications lurking in the shadows, I see no difference
between "vouching for someone's identity" and "vouching for someone."



> But given the easy confusion and the level of nuance
> required to tease the concepts apart, i think we're
> better off avoiding the term "vouch" entirely, and
> talking about "assertions of identity and key
> ownership" instead.  Why use a term likely to sow more
> confusion in an already confused topic?

Whilst "vouch" is yet another term with the potential to confuse, is
it really any more confusing than "certification" or "assertion of
identity?"



> OpenPGP certifications should be about identity and
> key-ownership.

As an aside, I've always found "control" to be more helpful than
"ownership" in my thought processes about openPGP keys. Who "controls"
the private key has an obvious meaning to me, who "owns" a key seems a
little more abstract.

- --
Best regards

MFPA                    mailto:expires2011 at ymail.com

Never interrupt me when I'm trying to interrupt you.
-----BEGIN PGP SIGNATURE-----

iQE7BAEBCgClBQJNn3jWnhSAAAAAAEAAVXNpZ25pbmdfa2V5X0lEIHNpZ25pbmdf
a2V5X0ZpbmdlcnByaW50IEAgIE1hc3Rlcl9rZXlfRmluZ2VycHJpbnQgQThBOTBC
OEVBRDBDNkU2OSBCQTIzOUI0NjgxRjFFRjk1MThFNkJENDY0NDdFQ0EwMyBAIEJB
MjM5QjQ2ODFGMUVGOTUxOEU2QkQ0NjQ0N0VDQTAzAAoJEKipC46tDG5pdiAD+gMv
jNDoqqqZ9cYUf39hBs2w3e8QoyjMIBVmk8Ghg/4F/L7yaXQCGR9OXrKAFl45zPAz
B9Y2Cz8VLjBa7CjpeluZe0kkzF+0De4vd+BaNFBGF0jY13KXPfbWezC22SH4A16w
jlOFLFWiEPk1mJaNjA7GHB1JVxM9nrHRYXT1iPX2
=WqbR
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list