PGP signing

Published by Thias

Mac GPG Logo

I have been using PGP encryption for my mail in a intermittent fashion for years. While I like the idea – it would really be better if e-mails where encrypted and signed – using PGP encryption is in practice really complicated: just adding encryption support to Mac OS X’s e-mail program requires installing a package, and a plugin which currently breaks japanese support. As often with communication strategies, it only works as far as people you communicate with are also using this technology. When a colleague organised a key signing at work, I joined. I was in fact more interested in the process than the outcome: having my key signed is hardly a priority for me.

It was an interesting experience:

  • It is a complicated process, you print the hash of your key, read it aloud, people check it off their list.
  • You check the identity in the keys against some form of official document. This is in my opinion a weak point of the system. You actually check that John Smith is really a John Smith, but how are you sure that it’s the right one?
  • The supporting tools are really weak. Given how carefully the checks have to be done, having nice supporting tools makes it a smoother experience. The tool used to print the hash list could not handle utf-8 names. Phil wrote a useful script to help signing the keys afterwards, but I needed to modify it for it work on my machine.
  • The web of trust is is a social network, in some sense tighter that say facebook: I have never checked the identity of most of the people that are linked with me there, on the other hand, besides their identity, I don’t know much about the people whose key I signed.

All this lead me to think about the recent initiatives of states to provide their citizen with some key for their official businesses. As PGP keys signing is about proving that an electronic identity matches an official identity, state issued keys would solve the problem. At the same time, having a state signature is one thing, having a social network that vouches an identity is another, having both would be optimal. Identity is a social problem, so crowd-sourcing it seems like a natural solution.

I was at a church wedding last Friday, the witnesses dutifully signed the register. This ritual once was the way to certify the identity of people. The witnesses were the back-up in case the book-keeping system failed. Time has changed this process into a empty ritual. Still imagine that in a wedding, all the guests signed with their official keys that the two persons are who they claim they are and that they are married. This would give some substance to the ritual. Things should of course be more festive than the drab PGP signing party, but having something that forces the guest of the wedding to interact in formal way during the wedding would also be nice.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: