On 9/6/13 4:10 PM, Ted Lemon wrote:
On Sep 6, 2013, at 6:42 PM, Joe Touch <touch(_at_)isi(_dot_)edu> wrote:
I've noted elsewhere that the current typical key-signing party
methods are very weak. You should sign only the keys of those who
you know well enough to claim you can attest to their identity.
This is a ridiculously high bar. The bar should be about at the
level of a facebook friend request.
People's personal policies about Facebook friend requests seem
to be all over the map, so I'm not sure what that means in
practice. I'm not sure that's a great model in any event, since
when you vouch for someone's identity - in an authoritative
trust system - you're also vouching for the authenticity of
their transactions. Those transactions would also include
*them* making attestations about the identity of people you've
likely never heard of.
Melinda