Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP & Vectors of Trust? #17

Open
ChristopherA opened this issue Oct 30, 2015 · 2 comments
Open

PGP & Vectors of Trust? #17

ChristopherA opened this issue Oct 30, 2015 · 2 comments
Labels
question

Comments

@ChristopherA
Copy link
Member

/re PGP-Paradigm.pdf #569b5a4
/cc @joncallas

One thing that I've always wanted with PGP was when I signed someone's key was that I could notate more the quality and effort of my validity assertion. For instance, vector of trust-like assertion about:

  • My personal knowledge of the identity of the person (say P0 is familiar stranger P3 is new associate and P5 is a long-term associate]
  • The nature of the validity check [V0 key server V3 phone or other out-of-band simultaneous connection V5 in-person exchange of hash and mutual exchange of signatures]

etc. Why didn't some type of these type of assertions evolve in the PGP ecosystem? Was it purely a matter of it being too UX complex for the expected average user? Or an issue of validity vs trust? Or am I missing something?
@joncallas
Copy link
Collaborator

They exist. Section 5.2.1 of RFC 4880. At one time during the discussions of transition from 2440 to 4880, we were looking at removing them, and they got put back in because people wanted them.

I don't think they're used not only because of UX — GnuPG implements just about everything so it would be trivial to do, it's more that no one knows what they mean. That's the reason we were looking at removing them in the first place.

Here's what 4880 says:

0x10: Generic certification of a User ID and Public-Key packet.
   The issuer of this certification does not make any particular
   assertion as to how well the certifier has checked that the owner
   of the key is in fact the person described by the User ID.

 0x11: Persona certification of a User ID and Public-Key packet.
   The issuer of this certification has not done any verification of
   the claim that the owner of this key is the User ID specified.

 0x12: Casual certification of a User ID and Public-Key packet.
   The issuer of this certification has done some casual
   verification of the claim of identity.

 0x13: Positive certification of a User ID and Public-Key packet.
   The issuer of this certification has done substantial
   verification of the claim of identity.

   Most OpenPGP implementations make their "key signatures" as 0x10
   certifications.  Some implementations can issue 0x11-0x13
   certifications, but few differentiate between the types.

What is the difference between a personal certification and a casual certification? What would "substantial verification" be? Personally, one of the things that I dislike about the PGP culture is how surly it is to nyms and personae, to begin with, and is one of the reasons I don't like key signing parties.

@jimscarver
Copy link

FreeTrust.org begins with dimensions of identity, presence, security and privacy for which we would have assertions and proofs. Trust is subjective and personal trust,of signer weights trust in assertion.

I love the Vectors of Trust standard! but we must support them all since anyone might trust something different and nobody knows what the standard will be tomorrow.

It is wonderful to find a group so far along in this area. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ChristopherA @joncallas @jimscarver