incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Slater <nsla...@tumbolia.org>
Subject Re: key signing
Date Mon, 08 Oct 2012 21:24:29 GMT
This is an important point.

Debian has a complete toolset and guidelines for managing this.

http://www.debian.org/events/keysigning

To quote:

People should only sign a key under at least two conditions:



1. The key owner convinces the signer that the identity in the UID is
> indeed their own identity by whatever evidence the signer is willing to
> accept as convincing. Usually this means the key owner must present a
> government issued ID with a picture and information that match up with the
> key owner. (Some signers know that government issued ID's are easily forged
> and that the trustability of the issuing authorities is often suspect and
> so they may require additional and/or alternative evidence of identity).



2. The key owner verifies that the fingerprint and the length of the key
> about to be signed is indeed their own.


How would you do this via Skype?

If we don't take this seriously, how can we expect other people to take our
keys seriously?

(Debian also has a few tools to help automate this stuff. See above link.)

If we're going to adopt a key signing model, we should strongly consider
basing it on Debian's.

On Mon, Oct 8, 2012 at 9:45 PM, Ted Dunning <ted.dunning@gmail.com> wrote:

> On Mon, Oct 8, 2012 at 7:46 PM, Marvin Humphrey <marvin@rectangular.com
> >wrote:
>
> > On Mon, Oct 8, 2012 at 8:51 AM, Branko ─îibej <brane@apache.org> wrote:
> >
> > > It says clearly, "as long as you can guarantee that you are
> > > communicating with the key's true owner." Which was exactly my point.
> >
> > I assert a "virtual key-signing party" protocol incorportating Google
> Plus
> > Hangouts could offer comparable assurances to a face-to-face key signing
> > party.  I speculate that such a protocol would utilize the "Hangouts On
> > Air"[1] feature which archives the hangout video directly to YouTube,
> along
> > with possibly mailing list interaction and commits to ASF version control
> > to
> > achieve a layered approach a la multi-factor authentication.  Arguably,
> > having
> > archived video would make the virtual protocol _stronger_ than
> > face-to-face.
> >
> > Whether such an initiative would be worth the effort is a different
> > question,
> > but video conferencing should not be dismissed out-of-hand as a tool for
> > helping to associate a key with the key's true owner.
> >
> > [1] http://www.google.com/+/learnmore/hangouts/onair.html
> >
> >
> I think that Branko may have been thinking text messages when the word
> skype came up.  Video conferencing is at least as good as voice and, as you
> say, with archiving can be pretty powerful.  To my mind, though, there is
> definitely something nice about having somebody's passport in your hand and
> pretending you know what to look for to spot a fake.
>



-- 
NS

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message