[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Looking For People To Sign My GPG Public Key

Hash: SHA1

Todd Zullinger wrote:
> Robert L Cochran wrote:

> Keysignings are concerned with establishing validity.  The things I am
> attempting to verify at a keysigning are:
>     1) The identity of the person asking me to certify their key.
>     2) The key's fingerprint, id, size, and type
>     3) The email address(es) associated with the key
> I agree that the first item is very difficult to accurately verify for
> someone that you have just met.  But that doesn't mean that no effort
> at all should be made in this regard. 

Todd, this is an interesting discussion. You are saying someone should
make an effort to verify another person's identity as a condition of
signing a key. I think such an effort is admirable but is not worth that
time and effort. I've actually gone out to different places as a Thawte
"notary" to meet with different people asking me to authenticate them.
They just need to show me two bits of identification and one of these
has to be a photo id.

Now how am I to know whether the documents I am provided at this meeting
are genuine and were really issued to the person sitting in front of me?
I don't. I have no way to check whether the passport or the driver's
license really is valid. Someone can give me a sweat soaked, grimy
passport from Denmark or France or USA and I have no idea whether it is
genuine. The only thing I can do is decide whether the photo on the
document is that of the person sitting in front of me. But that doesn't
validate the document itself or the person's identity. I still do not
have proof of identity. What I have is a piece of paper or plastic that
asserts an identity and which I have no recourse but to accept, as long
as the photo looks like the person presenting the document to me.

Many passports contain microchips with information about the holder of
the passport. But no ordinary person has access to the information on
the chip, and is unable to validate it. "Smart cards" are wonderful for
the issuing authorities. They are terrible for the person in a Starbucks
trying to assess whether the document and therefore the identity is valid.

So what was the true value of the identity validation effort? I think it
is wholly in meeting a new person. One whom I don't at all know. And
perhaps the hope of a few minutes chat after signing the paperwork. I'm
unlikely to ever do business with the other party. He or she may move to
the Gobi Desert the next day, for all I know.

> If that's really all the level of verification that you want out of
> PGP, then you might look at the PGP Global Directory.  It is a
> somewhat automated way to sign and validate keys.  You submit your key
> to the global directory, they send you an email to verify that you
> control that address.  You click the link in the email to confirm and
> they then sign your key with the global directory key.  Other users
> can mark the global directory key as trusted.

That might be good enough for some forms of usage for the key because it
is a uniform, non-subjective standard for the verification. Maybe
someone only wants to be able to send and recieve encrypted documents on
an authenticated basis. If so then the Global Directory may certainly
provide sufficient validation for that purpose. It really depends on
what the senders and recievers will be satisfied with.


Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]