[nodata]

When I ask people for their e-mail address, they give it to me.

When I ask them to verify their pgp key, it's less easy.

How could the verification of the key be built into the address they give me? Something DNSSEC based I guess.

[tptacek]

Yes. DNSSEC. Because what we need is a trusted arbiter, and who better to fulfill that role than the governments of the US, or whatever country happens to own the TLD I use?

[marcosdumay]

Well, it's at least better than X500. With DNSSEC you only have to trust one government, not all of them.

And you can also get more than one domain, in more than one TLD. Not very practical for automatic verification, but for surviving a manual verification several governments would have to collude against you.

I still think that there must be something better. But I'm probably not good enough to create it.

[mentat]

Governments, always trustworthy, especially for their own citizens.

[jimktrains2]

Why is it not easy to verify a key (fingerprint)? Put it on a business card with the email address or read it over the phone?

Also, DNSSEC isn't much more secure than our current CA system.

[Tomte]

Now your collection of business cards is susceptible to tampering (no cryptographic authentication!).

Do you never leave your collected business cards unattended at a conference or trade fair? Possible, if you put them into your shirt pocket.

Do you store them in a vault lomg-term? Probably not.

Is it impossible to impersonate you, either with a human sound-alike or by voice generation software?

If you want perfect security against everyone, it quickly spirals out of control. You should probably remove the wallpapers in your house regularly and inspect what's underneath. ;-)

I'm not entirely serious here, but I'm surprised at the optimism about what the individual can possibly achieve.

[jimktrains2]

I was imply it was a person-to-person handing of a business card and that if it wasn't then it could be handled via the phone (which you would need from something other than the business card). But, yes, I didn't explain that as well as I could have.

[frabbit]

"Now your collection of business cards is susceptible to tampering (no cryptographic authentication!)."

You are missing the part where it was suggested that the recipient of the business card telephones you and asks to verify the fingerprint.

[frabbit]

In response to Tomte's criticism, this all boils down to the certification level http://tanguy.ortolo.eu/blog/article9/pgp-signature-infos 1) A fingerprint on a possibly compromised business card == 0 2) A fingerprint verified by phoning someone == 1 etc, And associated with that independently is of course the level of trust.

Sorry Tomte for not replying immediately to your message, but I've posted too much on this apparently.

[Tomte]

You are missing both the "or" in his sentence (i.e. he describes alternatives, not cumulative measures) and my retort to the verification by phone.

[bradleyjg]

Either you need a trusted third party or you need to pass something that looks like (at best): 4UpbRAXYMgrESrAwiLPYymNNni1hwyL2JEK7zz2SN52t

You could do that by printing it on a business card or reading it over the phone, and then the other guy is going to have to type it in somewhere.

The reason trusted third party keeps on coming up, despite all the myriad fundamental problems, is exactly because slinging that around is so unattractive.

[acqq]

There IS a nicer way to present fingerprints to be much more human readable: map every few bytes to the whole dictionary word. There is a RFC for that:

http://www.ietf.org/rfc/rfc1751.txt

[bostik]

I've seen business cards with PGP fingerprints encoded as QR codes. That's a pretty neat idea.

[nodata]

Except you never notice when someone switches the QR code, as Tomte says.

[bostik]

Which is a very good point indeed.

[leni536]

"Hi, my email is john@doe.com and I'm johndoe on keybase.io" could work.