Non email addresses in UID
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Jan 24 23:16:28 CET 2014
On 01/24/2014 12:48 PM, Steve Jones wrote:
> On Fri, 24 Jan 2014 12:15:40 -0500 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
>
>> http://web.monkeysphere.info/
>
> This looks pretty cool, and does cover some of the things I've been
> thinking about. I've been wondering about communications secured with
> OpenPGP, it strikes me that it's not really necessary to even involve
> SSL; and the nightmares that seems to involve. Does monkeysphere have
> any aims to do complete connection security via OpenPGP?
what do you mean "complete connection security via OpenPGP"? OpenPGP is
not a stream-based communications protocol, it's a specification of a
message format and a certificate format. Inventing a new stream-based
communications protocol from scratch and shoehorning it into OpenPGP
doesn't sound like a great idea to me.
Monkeysphere uses OpenPGP's certificate format to provide a way for
people to verify the keys used in SSH and TLS (and elsewhere -- OTR
would be a lovely addition, for example). It does not intend to
supplant those communications techniques.
> So I'm led to the idea that associating keys with areas on the web
> where a person's work, writings, etc... are known is more important
> than some sort of confirmation of a person's name, which is not even a
> unique identifier. If, for example, you'd signed your commits to
> monkeysphere I'd be able to verify your claim that you are a
> contributor to it (not that I doubt, or have any reason to doubt that).
how are other people going to verify these propose User IDs?
If you make a data element a subkey or a notation in your
self-signature, you are not asking other people to attempt to certify it.
If you make the same data element a User ID or User Attribute, then you
are effectively putting it out there for other people to attempt to
verify and then certify.
If you came to me and said "I am the person who blogs at
https://www.example.com/stevejones" , how am i supposed to verify that?
when would you want me to certify it?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140124/95163e6b/attachment.sig>
More information about the Gnupg-users
mailing list