IETF Logo Mail Archive

Re: pgp signing in van

Joe Touch <touch@isi.edu> Sat, 07 September 2013 01:30 UTC

Return-Path: <touch@isi.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27CD521F84D9 for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 18:30:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.353
X-Spam-Level:
X-Spam-Status: No, score=-106.353 tagged_above=-999 required=5 tests=[AWL=0.246, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oz3ZFYq-BSys for <ietf@ietfa.amsl.com>; Fri, 6 Sep 2013 18:30:26 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by ietfa.amsl.com (Postfix) with ESMTP id 6479F21F8443 for <ietf@ietf.org>; Fri, 6 Sep 2013 18:30:12 -0700 (PDT)
Received: from [128.9.184.209] ([128.9.184.209]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id r871U7R1027214 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 6 Sep 2013 18:30:07 -0700 (PDT)
Message-ID: <522A81A0.902@isi.edu>
Date: Fri, 06 Sep 2013 18:30:08 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Ted Lemon <ted.lemon@nominum.com>
Subject: Re: pgp signing in van
References: <m2zjrq22wp.wl%randy@psg.com> <2309.1378487864@sandelman.ca> <522A5A45.7020208@isi.edu> <CA2A6416-7168-480A-8CE1-FB1EB6290C77@nominum.com>
In-Reply-To: <CA2A6416-7168-480A-8CE1-FB1EB6290C77@nominum.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: Michael Richardson <mcr@sandelman.ca>, IETF Disgust <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Sep 2013 01:30:32 -0000

On 9/6/2013 5:10 PM, Ted Lemon wrote:
> On Sep 6, 2013, at 6:42 PM, Joe Touch <touch@isi.edu> wrote:
>> I've noted elsewhere that the current typical key-signing party
>> methods are very weak. You should sign only the keys of those who you
>> know well enough to claim you can attest to their identity.
>
> This is a ridiculously high bar.   The bar should be about at the
> level of a facebook friend request.

Given I'm not on Facebook, the latter bar is infinitely high.

As per the PGP description:

---
There are several levels of confidence which can be included in such 
signatures. Although many programs read and write this information, few 
(if any) include this level of certification when calculating whether to 
trust a key.
---

And that's the problem - as long as endorsements are equal, they're only 
as good as your weakest one.

Joe

v2.23.0 | Report a Bug | By Email