MUA "automatically signs keys"?

MFPA 2014-667rhzu3dc-lists-groups at
Fri Jan 31 02:15:07 CET 2014

Hash: SHA512


On Thursday 30 January 2014 at 10:43:39 PM, in
<mid:20140130224339.5fcb0d27 at steves-laptop>, Steve Jones wrote:

> Well therein lies my problem with the PGP system. It
> relies on the notion of there being this singular thing
> called your identity.

I'll take that to mean your problem with the web of trust.

The pedantry about verifying government-issued identity is perhaps
necessary if you have the need to be confident the government knows
the other person as "John Smith" and that they are the right one of
the many "John Smiths" in existence. If that is not needed, the
name by which any government knows the person is irrelevant.

> This doesn't really match how people work in the world, it certainly
> doesn't match how things work online.

That's right, each context in which a person presents themself is
effectively a distinct identity or persona. If the contexts overlap,
there is a certain amount of blending between the distinct personas.

> There are plenty of people I've
> known for years by a particular name and using a
> particular email address, but by the standards of PGP I
> haven't verified their identity so shouldn't sign their
> key.

Your certification on a key means exactly what you want it to mean.
If your certification is published with a key, it is up to each user
to interpret that certification as they see fit (or to ignore it

> In online communications so many people are just
> names, urls or email addresses, their identity is just
> the things they've said and published.

Is that so different from the person you don't actually know, but they
are sometimes on the train when you are commuting, and just
occasionally you chat?

>  If I was
> accepting a cheque from one of those people I'd
> probably look for an identity confirmation,

If I didn't know their name or address, depending on the amount
involved I may not accept the cheque.

> if I just
> wanted to talk to them in probable privacy then a few
> other people saying effectively "Yeah I've used that
> key for that person" is enough.

Is what the signature means? Are they not simply saying, in effect,
"Yeah I've used that key for that _email address_?"

> To put it somewhat glibly, if a friend introduces
> someone to you do you ask for an affidavit that your
> friend has seen two forms of state issued photo id
> before you'll talk to them?

Depends on the conversation. (-;

> Yes, entirely. As it stands however the standard threat
> model seems that we have to assume that all attackers
> are the NSA.

There is no standard threat model. But the NSA and others are, at
least anecdotally, monitoring all communications and retaining copies
if they are encrypted. And any person could come under scrutiny as a
result of being only a small number of communication hops from a
"person of interest."

- --
Best regards

MFPA                    mailto:2014-667rhzu3dc-lists-groups at

Lack of money is no obstacle. Lack of an idea is an obstacle.


More information about the Gnupg-users mailing list