| 1 |
On Mon, 2019-03-04 at 14:18 -0500, Rich Freeman wrote: |
| 2 |
> On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote: |
| 3 |
> |
| 4 |
> > Furthermore, |
| 5 |
> > it is recommended that the signer includes the URL of this GLEP |
| 6 |
> > as the certification policy URL (``--cert-policy-url`` in GnuPG), |
| 7 |
> > and appropriately indicates certification level (see |
| 8 |
> > ``--default-cert-level`` in GnuPG). |
| 9 |
> |
| 10 |
> Rather than say "appropriately" why not explicitly indicate which |
| 11 |
> certification level to use? Otherwise the distinction between 2/3 is |
| 12 |
> going to become a point of debate. If you're going to standardize the |
| 13 |
> URL it seems like standardizing the level makes sense (IMO specifying |
| 14 |
> the URL for disambiguation is a great idea). |
| 15 |
|
| 16 |
Well, I believe both 2 and 3 can be valid, depending on how minutely |
| 17 |
you've verified the document. I'd say you'd say 3 if you really |
| 18 |
carefully ensured all three points (including multiple anti-counterfeit |
| 19 |
measures); 2 if you just looked if the document looks reasonable but |
| 20 |
failed to prepare. |
| 21 |
|
| 22 |
> > 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer |
| 23 |
> > must afterwards use the fingerprint to verify the authenticity |
| 24 |
> > of the key being used. |
| 25 |
> |
| 26 |
> This seems needlessly specific. How about just requiring that they |
| 27 |
> verify the fingerprint of the key to be signed with the person signing |
| 28 |
> it. That could mean being handed a hardcopy, but it it could just |
| 29 |
> mean being shown the fingerprint and transcribing it, or comparing it |
| 30 |
> on-screen, etc. Obviously it needs to be communicated via a |
| 31 |
> reasonably tamper-proof mechanism. |
| 32 |
> |
| 33 |
> This just seems to necessitate printing out keys when other methods |
| 34 |
> might be just as secure. Maybe focus more on the what than the how. |
| 35 |
|
| 36 |
Sorry, non-native English speaker here. I thought the intent is clear |
| 37 |
from the sentence, and people are going to be able to figure out that |
| 38 |
the purpose is to have tamper-proof value here. |
| 39 |
|
| 40 |
-- |
| 41 |
Best regards, |
| 42 |
Michał Górny |
Archives