Protecting IDs at a key signing party

Phil Benchoff benchoff at bev.net
Thu Jan 19 02:38:37 CET 2012 

On Thu, Dec 09, 2010 at 05:52:42PM +0100, Werner Koch wrote:
> On Wed,  8 Dec 2010 23:35, mailinglisten at hauke-laging.de said:
> 
> > aren't any IETF notations yet. I suggest a standard for at least these pieces 
> > of information:
> >
> > - key owner has been personally known for x years
> > - frequent contact with the key owner for x years
> [many more]
> 
> It is very unlikely that OpenPGP will ever adopt such standards.  There
> is an unspoken policy that we don't define policies but merely provide a
> framework so others can implement something on top of it.  If we would
> start to adopt any such policies we would soon end up in the X.509 mud.
> The signature classes 0x10 to 0x13 are for a reason not very strictly
> defined.
> 
> 
> Shalom-Salam,
> 
>    Werner

There is a way for you to put your own signing policy URL in the signature.
If you want something more formal, you could join a particular web of trust
with a well-defined policy, e.g. Gossamer Spider Web of Trust
http://www.gswot.org/.  (I don't know much about them.)  Your specific
items might provide a good start for a standard to document these policies.
I think it is particularly important to keep these policies de-coupled
from the OpenPGP standard though.

I think a lot about what signature classes are appropriate for what situations
and similar pedantry, but the current state of practice needs help at a
more fundamental level.  I just attended my first key-signing party.  The
participants likely have an above-average technical skill set.  Of the 16
signatures I've received so far, all are at the default level.  Five
signers delivered my signed keys in encrypted form to the individual UIDs.
The rest just uploaded them to a keyserver.  I can't be critical of anyone
who did that.  It seems to be the most common practice.

We are very lucky to have an open standard (OpenPGP) and a free/open-source
implementation (GnuPG) to work with.  The really hard problems are trying
to get people to use them correctly.

Phil

More information about the Gnupg-users mailing list