1 |
On Mon, Mar 4, 2019 at 2:06 PM Michał Górny <mgorny@g.o> wrote: |
2 |
|
3 |
> Furthermore, |
4 |
> it is recommended that the signer includes the URL of this GLEP |
5 |
> as the certification policy URL (``--cert-policy-url`` in GnuPG), |
6 |
> and appropriately indicates certification level (see |
7 |
> ``--default-cert-level`` in GnuPG). |
8 |
|
9 |
Rather than say "appropriately" why not explicitly indicate which |
10 |
certification level to use? Otherwise the distinction between 2/3 is |
11 |
going to become a point of debate. If you're going to standardize the |
12 |
URL it seems like standardizing the level makes sense (IMO specifying |
13 |
the URL for disambiguation is a great idea). |
14 |
|
15 |
> |
16 |
> 1. Obtain a hardcopy of signee's OpenPGP key fingerprint. The signer |
17 |
> must afterwards use the fingerprint to verify the authenticity |
18 |
> of the key being used. |
19 |
|
20 |
This seems needlessly specific. How about just requiring that they |
21 |
verify the fingerprint of the key to be signed with the person signing |
22 |
it. That could mean being handed a hardcopy, but it it could just |
23 |
mean being shown the fingerprint and transcribing it, or comparing it |
24 |
on-screen, etc. Obviously it needs to be communicated via a |
25 |
reasonably tamper-proof mechanism. |
26 |
|
27 |
This just seems to necessitate printing out keys when other methods |
28 |
might be just as secure. Maybe focus more on the what than the how. |
29 |
|
30 |
-- |
31 |
Rich |