Non email addresses in UID

Steve Jones steve at secretvolcanobase.org
Fri Jan 24 18:48:56 CET 2014


On Fri, 24 Jan 2014 12:15:40 -0500
Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:

> There are already systems that make use of the flexibility in this
> field.  For example SSH hosts can publish their RSA host key in an
> OpenPGP certificate using the monkeysphere (i'm a contributor to the
> monkeysphere project):
> 
>  http://web.monkeysphere.info/

This looks pretty cool, and does cover some of the things I've been
thinking about. I've been wondering about communications secured with
OpenPGP, it strikes me that it's not really necessary to even involve
SSL; and the nightmares that seems to involve. Does monkeysphere have
any aims to do complete connection security via OpenPGP?

> Other people advocate including a human-readable name without an
> e-mail address as a User ID, so that you can refer to a person
> without making any claim about e-mail addresses (i'm don't find the
> utility of this use case particularly convincing myself, but it
> doesn't seem terrible).

The use case for this would match more closely what the GPG manpage and
the PGP key signing party protocol dictate; i.e. that participants
verify state issued photo Id to confirm the name of the key holder is
their "real name" - none of my state issued Id has my email address on
it. Plus it makes a bit more sense in the case of multiple UIDs, one
for your name and possibly many for your email address.

> So the general question you're asking about is being done already.  As
> for facebook or openid or webforums other identifiers, i don't think
> those have been particularly well-thought through yet.  Under what
> circumstances would you use them?

My thinking is that identity as it is used on the Internet (or
the world in general) doesn't really match the way OpenPGP is used. To
take an obscure example: some people have noticed that Github has no
verification that commits submitted in repositories are actually made
by the users registered with those name and email addresses with them,
nor can it. This makes it possible, and some trolls have, to
impersonate Github users. Git allows for signing commits with keys, but
there's not really any way to associate those keys with accounts.
Sticking the URL of a Github account in a UID field and having other
contributors to a project sign that UID makes it possible to cross
verify commits with users. Note that at no stage in this processes is
Github required to implement or do anything and no-one's state
confirmed identity is involved. Github could of course sign that URL
UID if they wished to without saying anything about the user's
passport. 

So I'm led to the idea that associating keys with areas on the web
where a person's work, writings, etc... are known is more important
than some sort of confirmation of a person's name, which is not even a
unique identifier. If, for example, you'd signed your commits to
monkeysphere I'd be able to verify your claim that you are a
contributor to it (not that I doubt, or have any reason to doubt that).

-- 
Steve Jones <steve at secretvolcanobase.org>
Key fingerprint: 3550 BFC8 D7BA 4286 0FBC  4272 2AC8 A680 7167 C896
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: </pipermail/attachments/20140124/dc2bba2d/attachment.sig>


More information about the Gnupg-users mailing list