| 1 |
On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote: |
| 2 |
|
| 3 |
> Furthermore, |
| 4 |
> it is recommended that the signer includes the URL of this GLEP |
| 5 |
> as the certification policy URL (``--cert-policy-url`` in GnuPG), |
| 6 |
> and appropriately indicates certification level (see |
| 7 |
> ``--default-cert-level`` in GnuPG). |
| 8 |
|
| 9 |
Rather than say "appropriately" why not explicitly indicate which |
| 10 |
certification level to use? Otherwise the distinction between 2/3 is |
| 11 |
going to become a point of debate. If you're going to standardize the |
| 12 |
URL it seems like standardizing the level makes sense (IMO specifying |
| 13 |
the URL for disambiguation is a great idea). |
| 14 |
|
| 15 |
> |
| 16 |
> 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer |
| 17 |
> must afterwards use the fingerprint to verify the authenticity |
| 18 |
> of the key being used. |
| 19 |
|
| 20 |
This seems needlessly specific. How about just requiring that they |
| 21 |
verify the fingerprint of the key to be signed with the person signing |
| 22 |
it. That could mean being handed a hardcopy, but it it could just |
| 23 |
mean being shown the fingerprint and transcribing it, or comparing it |
| 24 |
on-screen, etc. Obviously it needs to be communicated via a |
| 25 |
reasonably tamper-proof mechanism. |
| 26 |
|
| 27 |
This just seems to necessitate printing out keys when other methods |
| 28 |
might be just as secure. Maybe focus more on the what than the how. |
| 29 |
|
| 30 |
-- |
| 31 |
Rich |
Archives