3

My best friends would trust who I am and I would also trust who they are, without looking at our government-issued IDs. We went to the same schools and same classes for many years.

However, they now live on the other side of the planet.

Is it practical and/or secure to get them to sign my public key, via something like a live video chat where I read my public key out-loud to them?

Would this have been good enough before recent advances in audio and video synthesis?

Are there still other ways to prove my identity remotely, without resorting to shared secrets from the past when we still lived in the same city?

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
Kal
  • 267
  • 1
  • 6

1 Answers1

3

There is no definition on how you have to verify identities for OpenPGP certifications. This is completely up to you -- some people define a certification policy because of this.

Whether to accept a video chat or not depends on the policy of the certifying side. I would still not expect an attacker being able to render photorealistic video footage in real-time; so embed the key exchange in a conversation, or include multiple persons and for example hand-writing the fingerprint while reading to a whiteboard. Additionally, the paper referenced used many hours of high quality video footage for training -- would you expect this to be available at all? Finally, is an attacker with such powerful computing resources and capabilities available that would risk being observed in such an attack?

Jens Erat
  • 23,816
  • 12
  • 75
  • 96