Re: [openpgp] Manifesto - who is the new OpenPGP for?

Brian Sniffen <> Thu, 26 March 2015 19:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E68721A8776 for <>; Thu, 26 Mar 2015 12:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9cgd81Ck84qY for <>; Thu, 26 Mar 2015 12:46:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A77981B2DF7 for <>; Thu, 26 Mar 2015 12:46:19 -0700 (PDT)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id D84A5165972; Thu, 26 Mar 2015 19:46:18 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id CD7F2165971; Thu, 26 Mar 2015 19:46:18 +0000 (GMT)
Received: from Tereva.local (unknown []) by (Postfix) with ESMTP id 4BEEC9803E; Thu, 26 Mar 2015 19:46:18 +0000 (GMT)
From: Brian Sniffen <>
To: Phillip Hallam-Baker <>, Christoph Anton Mitterer <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
User-Agent: Notmuch/0.19 ( Emacs/24.4.1 (x86_64-apple-darwin14.0.0)
Date: Thu, 26 Mar 2015 14:46:17 -0500
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Cc: IETF OpenPGP <>
Subject: Re: [openpgp] Manifesto - who is the new OpenPGP for?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 26 Mar 2015 19:46:29 -0000

Phillip Hallam-Baker <> writes:

> On Wed, Mar 25, 2015 at 6:25 PM, Christoph Anton Mitterer
> <> wrote:
>> On Wed, 2015-03-25 at 22:56 -0500, Phillip Hallam-Baker wrote:
>>> Web of Trust is a fine academic
>>> theory but it is not how OpenPGP is really used in the real world.
>> Lol?
>> How else do you use it?
> I see people using fingerprints directly mostly. Some download them
> from key servers.
> By Web of Trust I mean actually following a chain to check a key.

I walked a colleague through doing that today: she needs to send me a
secret, and I can't take time to call her and read a fingerprint.
Fortunately, my key had been signed by many other colleagues, and she
had trusted keys from a few of them.  It worked exactly as designed.

It's similarly helpful for new peole joining that group---new staff, in
that case.  This is just an anecdote, of course, but so is "I have
never...".  I expect there are little cells of WoT usage scattered
around, and little cells of blind trust, and little cells of
read-the-fingerprint---when strangers meet.

> No, I think there are quite a few things that we can do today that
> change the WoT game. People carry smart phones with near field
> communication, barcode, cameras. So signing can be made a lot simpler.

I would be interested to see a tag on keysignatures.  That would let me
play with automatic signatures and such without polluting the WoT.  I
don't directly see how to do this---is this what "Key Endorsements" are
for in


Brian Sniffen
"I reserve the right to evolve my views, and state that views I previously
 expressed may have been somewhere along the spectrum from insufficiently
 nuanced through ill-informed to dead wrong."