Estonian e-residency

Andrew Gallagher andrewg at andrewg.com
Tue Feb 7 12:33:30 CET 2017


On 06/02/17 09:37, Richard Ulrich wrote:
> So we sometimes resort to keybase.io. There the key is verified by 
> some social media. Sure, if the social media profile have existed 
> for some years and have some legitimate looking interactions, it is
> a good indicator that its not a face account. But still, I would 
> trust a government verification more than social media.

keybase.io is a great idea. But its main use is to tie a PGP key to a
social media account or accounts that act as a surrogate web of trust
(by being referenced in multiple independent places by hopefully
reputable third parties). But if your correspondent's social network
does not overlap with yours, again I'm not sure much value is added.

> For example I bought a car last week with Bitcoin. The person that 
> handled the payment for the seller was not present, but gave me his 
> keybase.io user name on the phone. He signed the email containing 
> the Bitcoin address for the payments with his GPG key. He didn't 
> have any signatures on his key.

I'm not sure I would have the cojones to follow through with this deal,
signatures or no. ;-)

> In this scenario I'm grateful for every piece of validation to give
> the key more credibility.

In a scenario where you do not know the intermediary, the only
meaningful validation is whether the vendor vouches for both the
intermediary's person and key. The fact that the intermediary
offers you *an* identity doesn't mean you are validating the correct
identity.

If for example he had given you a key signed by a Russian government
agency, would you have had more confidence? Granted, you like (and
obviously trust to some extent) the Estonian e-ID system. Others might
not have so much faith.

Sorry if I'm coming across as a little harsh, but you are proposing
spending hard cash and I'd hate to see you do so and not get your
money's worth. By all means, get an e-ID for the fun, for experiment,
or to start up a company. But signing PGP keys with it is non-standard,
and it's hard enough to convince most people to verify
keys via standard methods.

The problem with any PKI (which we still haven't cracked) is that the
motivation to get your key signed is "How do I prove my identity to
others", while the motivation of the person verifying the key is "To
what extent should I trust this person". And unfortunately, the two
questions are far from equivalent.

A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170207/64dbc3f7/attachment.sig>


More information about the Gnupg-users mailing list