[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: USENIX PGP key signing service

At 11:49 PM 5/29/96 -0400, Carl Ellison wrote:
>You use a USENIX key whose only UserID is a
>URL instead of an e-mail address and at that URL you list the meaning of
>the signature.

This approach seems to be a good one given the current PGP and the desire
of (I hope more than just) USENIX to become a CA for PGP keys.

I like the idea of ensuring that the "owner" of the key can actually wield
the secret key, but it is not absolutely necessary.  What is necessary is
that the policy at the URL state what is being certified, and that it be
followed in practice.

I believe that the published policy will make USENIX signatures more
valuable than the signature of joeblow@somewhere.net in the web of trust.

(I have removed coderpunks@toad.com from the Cc: because the last time I
posted to both spki and coderpunks, I got a nastygram from the coderpunks
owner about cross-posting.  I have no objection to any of these comments
appearing on coderpunks.  I just don't want to be the guilty one.)

Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA