1 |
On Mon, Mar 4, 2019 at 2:57 PM Michał Górny <mgorny@g.o> wrote: |
2 |
> |
3 |
> On Mon, 2019-03-04 at 14:18 -0500, Rich Freeman wrote: |
4 |
> > On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote: |
5 |
> > |
6 |
> > > Furthermore, |
7 |
> > > it is recommended that the signer includes the URL of this GLEP |
8 |
> > > as the certification policy URL (``--cert-policy-url`` in GnuPG), |
9 |
> > > and appropriately indicates certification level (see |
10 |
> > > ``--default-cert-level`` in GnuPG). |
11 |
> > |
12 |
> > Rather than say "appropriately" why not explicitly indicate which |
13 |
> > certification level to use? Otherwise the distinction between 2/3 is |
14 |
> > going to become a point of debate. If you're going to standardize the |
15 |
> > URL it seems like standardizing the level makes sense (IMO specifying |
16 |
> > the URL for disambiguation is a great idea). |
17 |
> |
18 |
> Well, I believe both 2 and 3 can be valid, depending on how minutely |
19 |
> you've verified the document. I'd say you'd say 3 if you really |
20 |
> carefully ensured all three points (including multiple anti-counterfeit |
21 |
> measures); 2 if you just looked if the document looks reasonable but |
22 |
> failed to prepare. |
23 |
|
24 |
You said "The verification must include, to the best of signer's |
25 |
abilities" which implies that #2 isn't really allowed in this case. |
26 |
|
27 |
If we want to leave it up to individual discretion I guess it is fine. |
28 |
Just expect variation. What counts as #3 for one person might be |
29 |
different from another's judgment. The gpg docs say as much as well. |
30 |
If you do want some standard applied then maybe be explicit. |
31 |
|
32 |
> > > 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer |
33 |
> > > must afterwards use the fingerprint to verify the authenticity |
34 |
> > > of the key being used. |
35 |
> > |
36 |
> > This seems needlessly specific. How about just requiring that they |
37 |
> > verify the fingerprint of the key to be signed with the person signing |
38 |
> > it. That could mean being handed a hardcopy, but it it could just |
39 |
> > mean being shown the fingerprint and transcribing it, or comparing it |
40 |
> > on-screen, etc. Obviously it needs to be communicated via a |
41 |
> > reasonably tamper-proof mechanism. |
42 |
> > |
43 |
> > This just seems to necessitate printing out keys when other methods |
44 |
> > might be just as secure. Maybe focus more on the what than the how. |
45 |
> |
46 |
> Sorry, non-native English speaker here. I thought the intent is clear |
47 |
> from the sentence, and people are going to be able to figure out that |
48 |
> the purpose is to have tamper-proof value here. |
49 |
|
50 |
The word "hardcopy" generally means something printed on paper. A |
51 |
non-paper-based process would not involve a "hardcopy" of anything. |
52 |
|
53 |
If the intent was to just convey the need to verify the fingerprint, |
54 |
then maybe reword to: |
55 |
|
56 |
1. Obtain the signee's OpenPGP key fingerprint. The signer |
57 |
must use the fingerprint to verify the authenticity |
58 |
of the key being used. |
59 |
|
60 |
I removed "hardcopy" and "afterwards." We don't care what media is |
61 |
used to transfer the fingerprint if it is secure (this is in-person, |
62 |
so I think we can leave that detail out). We really don't care the |
63 |
order the various steps happen in either - if they want to check the |
64 |
fingerprint before looking at the photo ID/etc that is fine. |
65 |
|
66 |
-- |
67 |
Rich |