December 16, 2013
PGP Key Signing Parties are a curious thing. Often ridiculed for their excessive geekiness and complete lack of any resemblance to what is commonly understood to constitute a "party", it is a gathering of people who show each other some sort of identification as proof that they are who they say they are (and that they happen to be the owner of a particular PGP key).
This builds the Web of Trust, which, by way of the Small World Phenomenon allows users to establish trust paths between two PGP keys. But this web of trust is just a variation of a social network -- one with rather weak ties. Signing a PGP key really only means that you have verified that the identity attached to the key maps to a person (or persons, in the case of group keys) that has shown you matching proof of identity.
A number of people will staunchly proclaim that they will only sign keys of people they have met in person, in order to verify their identity first. This focus on government issued forms of identification is silly, however: you are thereby not confirming somebody's identity, but rather that they are in possession of a (presumably difficult to fake) piece of paper that contains the name you expected. This may be sufficient (and possibly even necessary) in some cases, but for the majority of routine use cases, context and what I've come to expect as far as interactions go is much more important.
When I receive a message from you, I probably am more interested in the answer to the question "Was this message sent by the same person who sent these other messages that I've seen from them?" than an assertion that a person exists that happens to carry the legal name attached to this online identity.
Note also that insistence on being shown a form of physical ID causes significant problems when you are trying to confirm the identity of somebody who is by and large only known by a pseudonym. I'd rather care more about whether or not a message from one Moxie Marlinspike is "authentic", then whether or not it was sent by a person I have to confirmed to be Matthew Rosenfeld or Mike Benham. Similarly, within the NetBSD Project, I pay significantly more attention to an email sent by "der Mouse" -- a long-time developer by and large only known by that moniker -- than I would to a message signed by whatever his legal name happens to be.
Context matters, and context can establish authenticity.
Social networks allow you to build an online identity -- many already function as identity brokers: think about how many sites you can already "sign in with Facebook" or "sign in with Twitter"; "verified" accounts are just another form of government issued ID, only here Twitter becomes the government you trust not to lie or make mistakes. The more time you spend on any given social network, the stronger your identity becomes. It is no coincidence that most people seek to reuse their usernames across networks (social as well as professional): by doing so, you inherit the trust in (and authenticity of) your identity from other networks.
You already are trusting Twitter to assert that messages from @jschauma are indeed from the person who established that identity -- "following" would be pointless otherwise. And so, going back to the idea of what you are asserting when you are signing somebody's PGP key, when you see a tweet from me that says:
...then you can probably take my word for it and sign my key.
December 16, 2013