I wouldn't sign someone's key without getting the fingerprint in person (or at least on skype after a history of back-and-forth signed emails.)
I do, however, have the PGP Global Directory signed locally on my setup. So anyone who gets their key verified on PGP Global Directory shows up as valid to me.
Perhaps I'm missing something, but how is the verification by the PGP Global Directory different from what we're doing here?
At the Global Directory I uploaded my key, then received an email with a confirmation link in it. Once I clicked the link, my key was signed. I have shown that I have access to the email account mentioned in the key.
Here we post a signed message with instructions (and key fingerprint). The potential verifier receives a signed message back that points to the first signed message. I have not only shown that I have access to the email account mentioned in the key, but also that I have access to the key. It would seem to me that this method is a tad better at verifying that the email address and the key goes together.
Have I missed anything?
Cheers,
Yep, the authentication is basically the same. The differences are more social:
(1) It's all centralized to the PGP Global Directory key. If I trust that, I'll trust your sig whether I know you or not. Whether I'm involved in bitcoin or not. You get thousands of people to automatically assume your sig is valid, rather than one at a time. You don't need a hundred page thread here on bitcoin.org that someone needs to go through one-by-one, sending emails to dozens or hundreds of users.
(2) I don't need to publish a 'voucher' to your identity anywhere. This is what OpenPGP calls 'trust'
So OpenPGP has two inter-related concepts: validity and trust. Validity means that the key has been authenticated somehow. Trust indicates that you trust this person to generate signatures correctly, by whatever your standard of correctness is.
With these two elements in place, the Web-of-Trust kicks in. It starts with keys that you have explicitly flagged as valid. Then based on the trust you've assigned to these keys (run 'gpg --update-trustdb' if you haven't already), it determines that several keys they've signed are valid. It repeats this for five layers, and that's all the keys where you can validate messages without seeing that "WARNING!!! Untrusted ...." error.
People who are really into the Web-of-trust think the proper way to sign a key is to verify the fingerprint in person (or on the phone/skype if you recognize their voice) and provide photo id to establish a real-world person's identity. Like I said, everyone needs to define their own trust model, so it's not wrong to sign keys like people are doing here. But it may cause someone else who validates your key to mark your key as valid, but untrusted to issue signatures, which excludes you from their web of trust calculations.
One way around this is to issue local signatures. Local signatures work just the same as normal signatures, but the CANNOT be exported to keyservers.
I'm pretty confident that Ian's key is good. I run:
gpg --lsign <<IANS_KEY_ID>>
And flag him as perhaps MODERATELY trusted. Now his signatures factor into my trust calculations, but I'm not making any representations to the outside world, since I haven't done 'proper' authentication.
This is fine, but gets to be a pain if you use multiple computers, or need to re-create your keyring, since this signature doesn't live on the keyservers.
