community-development

https://github.com/clojurians/community-development
arrdem 2016-01-18T19:01:13.002508Z

Yeah it's a way to get hard-to-verify PGP keys associated with more or less trusted accounts and critically signatures/proofs of key access published thereby. You all trust that I own http://arrdem.com and http://twitter.com/arrdem, but what PGP key I use may not be obvious and a malicious user could generate a key with one of my email addresses, upload it to the MIT keyserver or somewhere and conduct a man in the middle attack by decrypting mail to the fake key, and reencrypting it and forwarding it to me. By associating a single key with several other identities and offering proof signatures that I control that key it becomes easier to find public keys, and easier to validate that the single individual you want to contact is in fact in control of that key.

✅ 4
sveri 2016-01-18T19:35:51.002509Z

If you can cut down that whole process to one click you will get the 99% (the ones that never ever understand what you just wrote) to take part in key signing, otherwise the situation will remain as it is, I am afraid.

arrdem 2016-01-18T19:36:35.002510Z

keybase gets pretty close to that. I agree it's a UX problem over technology that's existed for decades, but here we stand.

sveri 2016-01-18T19:39:06.002511Z

that looks interesting, I did not know that. Do you have an invite maybe?

juhoteperi 2016-01-18T19:49:10.002512Z

I have invites

richiardiandrea 2016-01-18T20:57:20.002513Z

one can say that one click it is too quick, too soon, you should need to understand a bit of the trust model and how to properly identify people before you sign their key, but I agree gpg is just too complicated, that is why I have scripts for signing keys