WoT question - policy

Stefan Claas stefan.claas at posteo.de
Tue Nov 13 22:36:47 CET 2018

On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> On 13.11.2018 17:54, Stefan Claas wrote:
> > Hi all,
> > 
> > i thought about creating a key certification policy, for my key,
> > and like to know your opinions. 
> > 
> > <https://stefan_claas.keybase.pub/policy.txt>
> > 
> > I have read in the past several policies, but i like to avoid
> > id-card / online video/chat etc. because i am not able
> > to distinguish between a real or a fake id, when doing so.
> > 
> > Therefore i thought to use a postcard/letter method.
> > 
> > Any critics are very welcome!  
> Sounds interesting, would the post office check the ID of the person
> claiming the letter?

Well, i assume that the good old postman, delivering mail to your house,
is still around... :-) If i would send as some form of a registered
letter than i would say yes.
> It reminds me of someone's method that utilized small bank transfers
> (I can't find the source though :( ).

I also thought about PayPal etc., but decided against it after receiving
an advice.
> Why not issue generic certifications instead of sig2 and sig3? There
> are some arguments against them:
> https://debian-administration.org/users/dkg/weblog/98

Yes, i remember this blog post and thought about this as well.

I like to point out that i remember RSA encryption, before PGP was
available and there was no WoT, so only people who knew each other
communicated that way.

When i first learned about PGP in 94/95 i also thought why should
people sign each other's key for a WoT and why do we need a global WoT
and what is it good for.

With my humble approach i like to be honest, in that form, that i did
my best for certifying someones key which might be useful for someone
else, entering the WoT, without letting third parties know   that i know
a person personally, or have a longtime online friendship etc. or that i
belong to a certain group of people.

With the postal approach the requester does not need to send his
address in encrypted form in case my computer would be compromised.
When someone request a signature i don't keep records on my computer
later. I only keep the postcard as souvenir.

With the sig0 approach i have the following problem: I could create
a couple of fake keybase accounts, for example, give each other
a sig0 and then what is this good for if i follow the advise from
the blog and what trust should a third party gain from this many sig0
on such a key? 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181113/44c1c6a0/attachment.sig>

More information about the Gnupg-users mailing list