Estonian e-residency
Richard Ulrich
ricul77 at gmail.com
Mon Feb 6 10:37:00 CET 2017
Hi Andrew,
of course it is better to directly sign the key.
And it is also better if there is a short path in the web of trust.
But my use case is for when there is no path at all in the web of
trust.
Most people I know don't even have a GPG key. And of the ones that have
a key, chances are high that they don't have any signatures on it.
So we sometimes resort to keybase.io. There the key is verified by some
social media. Sure, if the social media profile have existed for some
years and have some legitimate looking interactions, it is a good
indicator that its not a face account.
But still, I would trust a government verification more than social
media.
For example I bought a car last week with Bitcoin. The person that
handled the payment for the seller was not present, but gave me his
keybase.io user name on the phone. He signed the email containing the
Bitcoin address for the payments with his GPG key.
He didn't have any signatures on his key.
In this scenario I'm grateful for every piece of validation to give the
key more credibility.
Rgds
Richard
Am Donnerstag, den 02.02.2017, 13:42 +0000 schrieb Andrew Gallagher:
> On 02/02/17 12:02, Richard Ulrich wrote:
> >
> > I thought about applying for Estonian e-residency for the sole
> > reason of adding credibility to my GPG key. My idea would be to
> > sign
> > my GPG key with the ID card. This could give people who are not in
> > my web of trust a head start.
> Which particular people? And a head start at doing what?
>
> AIUI the e-residency signature is not PGP-compatible, so people will
> need to verify it using a separate tool. And once I have verified
> your
> e-residency signature, what does it mean to me? At best, it tells me
> that you are one of possibly many people known to the Estonian
> Government as "Richard Ulrich". Unless I have already dealt with you
> elsewhere via your Estonian ID, how does this help me?
>
> What particular problem are you trying to solve? It seems to me that
> unless you are going to use your E-identity for some other purpose,
> tying your GPG key to it adds little value. You say your sole reason
> for applying for e-residency is to add "credibility" to your existing
> key. But how is asking the Estonian government to verify your
> passport
> more credible than producing your passport at a keysigning party? Or
> better still, showing it to the actual person you want to talk to?
>
> Andrew.
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20170206/144b4ae4/attachment.sig>
More information about the Gnupg-users
mailing list