WoT question - policy
stefan.claas at posteo.de
Tue Nov 13 22:36:47 CET 2018
On Tue, 13 Nov 2018 21:39:18 +0100, Wiktor Kwapisiewicz wrote:
> On 13.11.2018 17:54, Stefan Claas wrote:
> > Hi all,
> > i thought about creating a key certification policy, for my key,
> > and like to know your opinions.
> > <https://stefan_claas.keybase.pub/policy.txt>
> > I have read in the past several policies, but i like to avoid
> > id-card / online video/chat etc. because i am not able
> > to distinguish between a real or a fake id, when doing so.
> > Therefore i thought to use a postcard/letter method.
> > Any critics are very welcome!
> Sounds interesting, would the post office check the ID of the person
> claiming the letter?
Well, i assume that the good old postman, delivering mail to your house,
is still around... :-) If i would send as some form of a registered
letter than i would say yes.
> It reminds me of someone's method that utilized small bank transfers
> (I can't find the source though :( ).
I also thought about PayPal etc., but decided against it after receiving
> Why not issue generic certifications instead of sig2 and sig3? There
> are some arguments against them:
Yes, i remember this blog post and thought about this as well.
I like to point out that i remember RSA encryption, before PGP was
available and there was no WoT, so only people who knew each other
communicated that way.
When i first learned about PGP in 94/95 i also thought why should
people sign each other's key for a WoT and why do we need a global WoT
and what is it good for.
With my humble approach i like to be honest, in that form, that i did
my best for certifying someones key which might be useful for someone
else, entering the WoT, without letting third parties know that i know
a person personally, or have a longtime online friendship etc. or that i
belong to a certain group of people.
With the postal approach the requester does not need to send his
address in encrypted form in case my computer would be compromised.
When someone request a signature i don't keep records on my computer
later. I only keep the postcard as souvenir.
With the sig0 approach i have the following problem: I could create
a couple of fake keybase accounts, for example, give each other
a sig0 and then what is this good for if i follow the advise from
the blog and what trust should a third party gain from this many sig0
on such a key?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 228 bytes
Desc: Digitale Signatur von OpenPGP
More information about the Gnupg-users