basic identity mgmt
dougb at dougbarton.email
Sun Jan 17 04:32:28 CET 2016
On 01/16/2016 07:06 PM, Andrew Gallagher wrote:
>> On 17 Jan 2016, at 02:19, Doug Barton <dougb at dougbarton.email> wrote:.
>> OTOH, PGP is designed primarily to establish trust relationships between people, with human review of the results an integral part of the process.
> That may have been the initial motivation. But consider that the most common real world use of PGP today is verification of code signatures - many of which are generated semi-automatically by build infrastructures such as Debian and verified by install tools. The trust relationship here is between your client and a build server, not people.
True enough, but what do those signatures actually mean?
But more importantly, what security measures are in place to prevent a
rogue key from entering that WOT, in addition to a certification
signature from a random key? Is the only thing someone would need to do
to compromise a single certification key?
>> Glossing over authentication (because there's no real use case for those keys yet),
> Two factor ssh smart card auth? I use it nearly every day - much more often than encrypted mail.
Sorry, all that does is replace something that already existed, works
well, and is widely supported; with something more complex, often buggy,
and not widely supported. That's not a use case, that's a solution
looking for a problem.
That's not to say that someday there won't be a use case for
authentication keys, but I haven't seen one yet.
> I don't think anyone has sent me an encrypted mail in over a year, and the last one was about signing a PGP key. ;-)
You're corresponding with the wrong people. :)
More information about the Gnupg-users