OpenPGP certificate flooding

Posted Jul 4, 2019 1:35 UTC (Thu) by dkg (subscriber, #55359)
In reply to: OpenPGP certificate flooding by pabs
Parent article: OpenPGP certificate flooding

I agree with pabs here, this is the only sensible way to permit distribution of third-party certifications, but the devil is in the details.

Several months ago, I outlined a way to do that in an attempt to spur public discussion. It's not set in stone, and indeed, there is a proposal to amend it. It will take a bit more work to get the specification right, but the real work will be in the tooling to make it possible for normal humans to do exactly the right multi-party, serialized dance necessary to make something that an abuse-resistant keystore can feel confident in redistributing.

This work is not just crypto or RFC 4880 packet parsing/generating work -- that's the easy bit. The hard stuff is thinking about user experience. What is the smoothest way to present these options to the user so that they know what they're doing, without having to know all the gory details.

I don't have the bandwidth to develop that tooling myself right now. But if anyone wants to work on building it out and thinking about the user experience for that process, i'd be happy to act as a sounding board/tester/bug reporter.