basic identity mgmt

[Doug Barton]

On 01/16/2016 07:06 PM, Andrew Gallagher wrote:
>
>> On 17 Jan 2016, at 02:19, Doug Barton <dougb at dougbarton.email> wrote:.
>>
>> OTOH, PGP is designed primarily to establish trust relationships between people, with human review of the results an integral part of the process.
>
> That may have been the initial motivation. But consider that the most common real world use of PGP today is verification of code signatures - many of which are generated semi-automatically by build infrastructures such as Debian and verified by install tools. The trust relationship here is between your client and a build server, not people.

True enough, but what do those signatures actually mean?

But more importantly, what security measures are in place to prevent a 
rogue key from entering that WOT, in addition to a certification 
signature from a random key? Is the only thing someone would need to do 
to compromise a single certification key?

>> Glossing over authentication (because there's no real use case for those keys yet),
>
> Two factor ssh smart card auth? I use it nearly every day - much more often than encrypted mail.

Sorry, all that does is replace something that already existed, works 
well, and is widely supported; with something more complex, often buggy, 
and not widely supported. That's not a use case, that's a solution 
looking for a problem.

That's not to say that someday there won't be a use case for 
authentication keys, but I haven't seen one yet.

> I don't think anyone has sent me an encrypted mail in over a year, and the last one was about signing a PGP key. ;-)

You're corresponding with the wrong people. :)

Doug