MUA "automatically signs keys"?
2014-667rhzu3dc-lists-groups at riseup.net
Tue Feb 4 21:32:38 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Friday 31 January 2014 at 9:24:17 AM, in
<mid:20140131092417.6515e1b0 at steves-laptop>, Steve Jones wrote:
> Well the conventions of use, for example the key
> signing party protocol, requires photographic id. If I
> publicly sign a key it has to be in line with how I
> expect others to interpret it. Policies and notations
> on signatures go some way to alleviate that but only if
> the tools support it.
Surely if others interpret it differently than how you publicly state
you mean it, that's their own look-out.
> To me, you are just an email address, for
> all I know you're a dozen different people spoofing
> emails to the list. If all your mails are signed with
> the same key then I can at least assume all those
> people are working in concert :-)
I think all my emails to this list are signed with the same key. (-;
> The issue is that the tools around OpenPGP use are
> designed around the idea that it's for verifying some
> fixed identity, whereas in this case it's continuity of
> identity that's more important.
You mean it doesn't matter *who* I am as long as I am the same person
you corresponded with before? Apart from certain narrow
legally-defined situations, that's fairly general in real life as well
> If your key had dozens
> of signatures at the persona level going back a few
> years then I'd have a reasonable belief that you're not
> just a brand new identity created for mischievousness
If you were that worried, you could check the list archives for
signed postings from MFPA.
> With notations you get a system of
> distributed tagging, where identity becomes a matter of
> a collection of attested to attributes. Obviously this
> could create a lot of noise so you'd have a limited set
> of folks (including ephemeral Internet folks) who's
> tags you trust, probably the same people who's
> signatures you trust - which is handy. :-)
Would they "probably" be the same folks? Or would the people whose
signatures you trust be akin to those you would have round for a meal,
whereas those whose tags you trust would be more like people with whom
you'd go out for a pint?
> My mail client, and all the others I've used, is only
> interested in whether I, or someone else, has certified
> that MFPA is your real name.
Any I have used is only interested in whether the key is valid. My
local signature makes it valid but gives no clue about whether I know
somebody's real name.
> Certainly. This BTW is why I think anonymous
> cryptocurrency is a daft idea
Why do you need to know who the other person was in a Butcoin
> True, "This person is a police officer and would like
> to know where you were last night," might lead you to
> wanting to see id.
It might also lead to a point-blank refusal to enter any discussion.
MFPA mailto:2014-667rhzu3dc-lists-groups at riseup.net
Why is the universe here? Well, where else would it be?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users