Using root CAs as a trusted 3rd party

gnupg at lists.grepular.com gnupg at lists.grepular.com
Sun Jan 22 16:18:34 CET 2012


On 22/01/12 02:49, Aaron Toponce wrote:

> Yes. That's all I'm after. I think the militant "I _absolutely_ won't sign
> any keys unless I verify their identification, face-to-face" attitude is
> hindering adoption. There must be a way to build the WOT, while still
> allowing people to sign keys without meeting. Thus, the reasons for 0x10,
> 0x11, 0x12 and 0x13 in GnuPG for identifying how carefully you've verified
> the owner of a key.
> 
> I'm looking for ways to build the WOT, without hindering adoption, by
> taking advantage of various means to establish trust of key ownership. This
> seems to be a method, I just want to make sure I have all my i's jotted and
> my t's crossed.

I've taken a different approach. Rather than trying to build up a WOT by
getting people to sign my key, I've just made sure that the fingerprint
of my master key is spread wide and far over the Internet, and that I
sign everything.

The front page of my website https://grepular.com/ is signed. It
displays my fingerprint, and a Google link next to it:

https://encrypted.google.com/search?q=%2235BC+AF1D+3AA2+1F84+3DC3+B0CF+70A5+F512+0018+461F%22&filter=0

You can see my fingerprint mentioned all over the place. I also sign all
of my profiles on different sites whenever possible. A couple of examples:

http://hackerbuddy.com/users/2670
https://news.ycombinator.com/user?id=mike-cardwell

My fingerprint is also stored in a PKA record in the DNS:

mike at Fuzzbutt:~$ dig +short txt mike.cardwell._pka.grepular.com
"v=pka1\;fpr=35BCAF1D3AA21F843DC3B0CF70A5F5120018461F\;uri=http://grepular.com/0018461F.pub.asc"
mike at Fuzzbutt:~$

And the DNS for grepular.com even uses DNSSEC. I don't think you need to
meet me in person to be confident that the key you've downloaded is mine.

I sometimes wonder if the traditional public web of trust is even a good
idea. Are you happy to be associated with everybody you've signed the
key of and those who have signed yours? Are you sure that none of these
people will do anything in the future which might cause these public
associations to become a problem for you?

-- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 598 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20120122/a1e4ee1d/attachment.pgp>


More information about the Gnupg-users mailing list