[Discuss] Fwd: Relevance of PGP?

John Abreau jabr at blu.org
Thu Aug 18 19:59:10 EDT 2011


On Thu, Aug 18, 2011 at 8:24 AM, Edward Ned Harvey <blu at nedharvey.com> wrote:

>>  John Abreau writes
>>
>> If an average user wants to delegate his PGP keysigning to his lawyer,
>> he can configure his PGP settings to trust all keys that the lawyer
> trusts,
>> and then the lawyer can take care of attending keysignings, contacting
>> other keyholders (or those keyholders' lawyers) to verify their keys, etc.
>>


> I like this idea, but does it exist anywhere?  Meaning...  Suppose I get
> something signed by you, and your signature says you delegate trust to your
> lawyer, Abraham Lincoln.  How am I supposed to get Abraham Lincoln to verify
> your signature, if I don't know him and I haven't already received his
> certificate myself personally via trusted channel?  For that matter, if
> somebody was forging your signature, they would simply say they trust Lionel
> Hutz instead of Abraham Lincoln.  How do I, as the recipient of such a
> message, know who I should trust, to verify the authenticity and integrity
> of your supposed signature?


The delegation means that I hire Abraham Lincoln to take care of verifying your
signature for me. It has nothing whatsoever to do with you verifying
my signature.
That's an entirely separate problem that I haven't spent any time
thinking about.
Maybe nontechies can tell each other Out Of Band that "I've delegated my
key management to Abraham Lincoln, here's his contact info". Or "I'll have my
lawyer verify keys with your lawyer".

The point of my post was to make an analogy to the legal concept of Power Of
Attorney to suggest that we can create a similar mechanism based on the
Web Of Trust model that will make key management easier for nontechies.
I could instead have made an analogy to locksmiths: when we want to change
the locks on our doors, a techie might buy a new lock at Home Depot and
install it himself, whereas a nontechie would hire a locksmith to take
care of it.

Another analogy might be to a Notary Public. A Notary is kind of a signature
verification service for written signatures on paper, so perhaps we can invent
a "PGP Notary" that can do something similar for PGP signatures.


-- 
John Abreau / Executive Director, Boston Linux & Unix
GnuPG KeyID: 0xD5C7B5D9 / Email: abreauj at gmail.com
GnuPG FP: 72 FB 39 4F 3C 3B D6 5B E0 C8 5A 6E F1 2C BE 99



More information about the Discuss mailing list