BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] privacy with pgp keys
- Subject: [Discuss] privacy with pgp keys
- From: effigies at riseup.net (Chris Markiewicz)
- Date: Thu, 10 Sep 2015 13:36:35 -0400
- In-reply-to: <CAFv2jcbnt1FRNnX9=SXfY4mfaHauup2P2RzayxhKzHX6XUsetA@mail.gmail.com>
- References: <CALggPSnKM8sz3kAWQUwOMSgzpKMEQSxtzaeU6FfYN2H6H7vBpQ@mail.gmail.com> <CAFv2jcbnt1FRNnX9=SXfY4mfaHauup2P2RzayxhKzHX6XUsetA@mail.gmail.com>
On 09/10/2015 12:52 PM, John Abreau wrote: > At a keysigning party, the process is to verify each participant's > identity, and verify that the key they claim ownership of is actually under > their control. Each participant verifies their key id and fingerprint, and > then all participants examine each others' photo ids, and afterward each > participant signs the keys they feel confident about and emails each signed > key to the corresponding person, encrypted so that only the owner of the > key can retrieve the signature. > > If a key has been stripped of all traces of the owner's identity, I don't > see how it would be possible to adequately verify trust of that key during > the keysigning party. Outside the technical issues of what a keysigning party entails, and the standard policy for signing (some people aren't as strict or don't place much weight on government-issued ID), there is simply the question of what signing a key means. A key signature is an assertion that the identifying information in a UID accurately describes a person proven to have access to the key. The idea is that a person who trusts me (for some definition of trust) and wants to communicate with a person whose UID was signed, can believe that the public keys associated with that UID will help them talk to that person. Without UIDs, a key signature is meaningless. Sure, you may be able to build a trust path, but without a UID, you know nothing about who signed a message, or to whom you're encrypting a message. The signature itself is proof that the person who holds the key signed the message. The problem described by Mayuresh seems to be: (1) assure users of the key they're communicating with you; (2) don't provide metadata to surveillance. The web of trust is fundamentally incompatible with (2). Key signing parties will not help you get there. You'll need to distribute knowledge of your keys in some other way. If you want to use PGP/GPG for difficult-to-surveil communication, I would read this: https://gist.github.com/grugq/03167bed45e774551155 Chris
- References:
- [Discuss] privacy with pgp keys
- From: m.m.rajwadkar at ieee.org (Mayuresh Rajwadkar)
- [Discuss] privacy with pgp keys
- From: abreauj at gmail.com (John Abreau)
- [Discuss] privacy with pgp keys
- Prev by Date: [Discuss] privacy with pgp keys
- Next by Date: [Discuss] privacy with pgp keys
- Previous by thread: [Discuss] privacy with pgp keys
- Next by thread: [Discuss] privacy with pgp keys
- Index(es):
