|
| ▲ | transmit101 13 minutes ago | parent | next [-] |
| > Nothing really stopping an agent from getting a key It very much is possible to prevent an agent from having access to a key. For example, local encryption, Yubikey or other hardware device, or just running the agent in an isolated environment. |
|
| ▲ | crote 6 hours ago | parent | prev | next [-] |
| The agent can't exactly show up to an in-person key signing party, can it? And how many people are both dedicated enough to go to key signing parties and stupid enough to let an agent act without supervision in the name of their real-world identity? |
| |
| ▲ | brazzy 2 hours ago | parent [-] | | If gpg-style web of trust became ubiquitous, it would require correspondingly less dedication. And on the other hand, if this was actually working up to an xz style supply chain attack, the dedication would certainly not be lacking. |
|
|
| ▲ | thwarted 5 hours ago | parent | prev | next [-] |
| Having a key isn't a distinguishing aspect, it's the position in the "web of trust" network that is important. |
|
| ▲ | thewebguyd 5 hours ago | parent | prev [-] |
| That's what key signing parties are for. In person verification. |
