[SGVLUG] Keysigning

John Kreznar jek at ininx.com
Tue Dec 3 20:31:51 PST 2013


In an unsigned message, someone wrote: 

> I was trying to imagine situations where I thought the WoT was most
> likely to work and I had been thinking something like Debian or Python
> which are geographically distributed but still fairly tightly knit
> communities are the best case situations.

> When someone new joins, Alice, [she] was probably interacting with
> others over the Internet before [so] other members already had reason
> to know her.

What's important about the newcomer is this record of signed Internet
interactions.  The key with which these interactions is signed is more
intimately bound to the mind behind the interactions than physical
appearance or the nickname "Alice".

If there's basis for signing the key, it's this interaction itself, not
some physical meeting.

"Alice" is a convenient nickname, not to be relied on for security.
Physical meeting changes nothing.  The reputation attaches to the key
itself. 

> The key signing is providing a way to reduce the risk that someone
> else, Mallory, can impersonate Alice -- which is a risk because they
> only all see each other every few years at a conference.

Mallory would have no key which has earned a reputation.

-- 
OpenPGP key: http://ininx.com
 John E. Kreznar jek at ininx.com 9F1148454619A5F08550 705961A47CC541AFEF13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://sgvlug.net/pipermail/sgvlug/attachments/20131203/94e6139f/attachment.pgp>


More information about the SGVLUG mailing list