This blog can't be viewed on LiveJournal. Instead see

  • What about signed messages?

    Well if you want a system for building a web of trust between users and sites, what about cryptographic messages? PGP ( is built around establishing trust and verifying identities. So when someone posts you just have to a) check that the poster is a trusted person and b) that the message is authentic?

    This is, however, well outside the domain of OpenID. But isn't that as it should be? Shouldn't my OpenID be associated with my PGP key at a higher level? Anything we can do to avoid the management problems of blacklist/whitelist "solutions" is a step in the right direction IMHO.
    By ext_28522 at 11:35 pm on 22nd Jan 2007
    • Re: What about signed messages?

      Hash: SHA1

      Sorry, I should try to lead by example.

      As I was trying to say, messages should be cryptographically signed. Sure,
      there needs to be an easy mechanism to do this, but it is the right solution in
      my opinion.

      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.4.3 (GNU/Linux)

      -----END PGP SIGNATURE-----
      By ext_28522 at 11:45 pm on 22nd Jan 2007
    • Re: What about signed messages?

      One of the virtues of OpenID is that it takes all of that complicated cryptography stuff out of the user's hands and lets some other entity (the OpenID Provider) control it on the user's behalf. Of course, the user can choose to do it himself if he wants by running his own personal OpenID Provider.

      Technologies like PGP are doomed so long as I have to be at my own PC to use them. Perhaps with some help from protocols and client software the usability can be improved, but as long as I'm identifying myself with something I can't remember I'm tied to using my identity only in locations where that something (my PGP key) is already stored.

      By Martin Atkins at 08:32 am on 24th Jan 2007