An Alternative to the PGP "Web of Trust" Decentralization-ism

[hanzer]

What if one could get their PGP key signed by an "official of integrity appointed by state government" (e.g., a Notary Public) or something similar? If a person could physically meet with a validated agent of a centrally organized system of identity authentication, present ID, generate a PGP key-pair, then have this new public key signed by the trusted agent's key, that might enable PGP technology to become a viable form of secure communication for government agencies, banks, universities, etc. Currently, these corporations seem to use funky, ad-hoc methods of ID authentication, often for every transaction.

Significant infrastructure would be required to make this work - maybe a nonprofit corporation to develop and manage the technical policies and political negotiations; and maybe several businesses offering a variety of products and services to the various entities and agencies using the method.

Maybe this thread's title should have been something like: "Open-Source Business Model" or "Public Development Federation Plan". <smirk>

[ibara]

How would we know we could trust the people we're supposed to trust?

[hanzer]

Quote:

Originally Posted by ibara

How would we know we could trust the people we're supposed to trust?

Can you elaborate? Are you asking something like "how can a person verify that someone who is presenting himself as a Notary Public is in fact a Notary Public"?

[ibara]

Yes, that. But also, why would we give this central organization our trust in the first place?

[hanzer]

Quote:

Originally Posted by ibara

Yes, that. But also, why would we give this central organization our trust in the first place?

Do you mean that in a sovereign citizen movement kind of way?

It's probably not a good idea to go down that path.
http://www.start.umd.edu/news/sovere...rrorist-threat

[ibara]

No. I'm about as far away from them politically as one can be.

[sacerdos_daemonis]

Quote:

Originally Posted by hanzer

What if one could get their PGP key signed by an "official of integrity appointed by state government"

That assumes governments can be trusted.

Quote:

If a person could physically meet with a validated agent of a centrally organized system of identity authentication

Is there really a need for centralised control of private message encryption methods? Should such a system also be created for car brakes? Curently, automotive makers set their own standards for brake design. The purpose of that analogy to argue that centralised control is not always necessary.

Quote:

Significant infrastructure would be required to make this work

Which again raises the question of, is it desirble? Would a cost-benefit analysis suggest the rewards would be greater than the effort?

Quote:

maybe a nonprofit corporation to develop and manage the technical policies and political negotiations; and maybe several businesses offering a variety of products and services to the various entities and agencies using the method.

What makes a group of companies more trustworthy than one? Which can be trusted more? A group of companies or a government (and its "trusted appointees")?

[hanzer]

The premise is very simple - it is to use the existing US government's person identification infrastructure to authenticate PGP keys, thereby extending the infrastructure's identity validation methods into the realm of e.g., email.

The products and services mentioned earlier could be anything from a certified mobile app for a Notary Public (or some other ministerial official) to a key management and communication policy support system for a hospital, bank, university, government agency, etc.

It really is a very simple idea. The core technical foundations (e.g., GnuPG) have already been designed, built, and exercised in the world. As far as I know, the tech works. Granted, much is still needed to associate PGP public keys with government issued ID's in a sufficiently valid manner but most of what still needs to be built is in the domain of policy, business, and administration.

It seems like there is some opportunity for entrepreneurs who have experience in secure systems configuration and administration. </sales pitch>