trust your corporation for keyowner identification?
Stan Tobias
sttob at privatdemail.net
Thu Oct 24 19:27:42 CEST 2013
Peter Lebbing <peter at digitalbrains.com> wrote:
> On 24/10/13 01:15, Stan Tobias wrote:
> > , then why do we believe WoT authenticates anything? Why do we accept, for
> > example, a conversation by telephone to validate a key fingerprint?
>
> Because these are verifications outside the Web of Trust.
Is that the only requirement? Then I have fantastic news for you!
You'll no longer have to visit your friends around Alpha Centauri to be
able to certify their keys.
A new system will be developed, called ClosedGPG (Galactic Privacy
Guarantee). It will provide services such as signatures (for
authentication) and key certificates. The certificates will be backed
by LoH (Line of Hope) scheme (can't give you specifics - not been
invented yet).
It works like this: When your distant friend creates a new OpenPGP key,
he only needs to send you the message "I use this key: [base64 OpenPGP
key snipped]" signed with his ClosedGPG key. By invoking LoH system
you validate his ClosedGPG signature and convince yourself the message
is authentic, all entirely outside of WoT. Now you can safely sign his
OpenPGP key with yours, and send it from your cottage on Mars to your
friends working on Titan. All in measly four years!
(If you wondered - of course, certifications of ClosedGPG keys have
a requirement to be done outside of LoH. For this purpose you employ
OpenPGP backed by WoT scheme.)
Best regards,
allow me some time for answering other parts,
Stan.
More information about the Gnupg-users
mailing list