-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Zullinger wrote: > Robert L Cochran wrote: > Keysignings are concerned with establishing validity. The things I am > attempting to verify at a keysigning are: > > 1) The identity of the person asking me to certify their key. > 2) The key's fingerprint, id, size, and type > 3) The email address(es) associated with the key > > I agree that the first item is very difficult to accurately verify for > someone that you have just met. But that doesn't mean that no effort > at all should be made in this regard. Todd, this is an interesting discussion. You are saying someone should make an effort to verify another person's identity as a condition of signing a key. I think such an effort is admirable but is not worth that time and effort. I've actually gone out to different places as a Thawte "notary" to meet with different people asking me to authenticate them. They just need to show me two bits of identification and one of these has to be a photo id. Now how am I to know whether the documents I am provided at this meeting are genuine and were really issued to the person sitting in front of me? I don't. I have no way to check whether the passport or the driver's license really is valid. Someone can give me a sweat soaked, grimy passport from Denmark or France or USA and I have no idea whether it is genuine. The only thing I can do is decide whether the photo on the document is that of the person sitting in front of me. But that doesn't validate the document itself or the person's identity. I still do not have proof of identity. What I have is a piece of paper or plastic that asserts an identity and which I have no recourse but to accept, as long as the photo looks like the person presenting the document to me. Many passports contain microchips with information about the holder of the passport. But no ordinary person has access to the information on the chip, and is unable to validate it. "Smart cards" are wonderful for the issuing authorities. They are terrible for the person in a Starbucks trying to assess whether the document and therefore the identity is valid. So what was the true value of the identity validation effort? I think it is wholly in meeting a new person. One whom I don't at all know. And perhaps the hope of a few minutes chat after signing the paperwork. I'm unlikely to ever do business with the other party. He or she may move to the Gobi Desert the next day, for all I know. > If that's really all the level of verification that you want out of > PGP, then you might look at the PGP Global Directory. It is a > somewhat automated way to sign and validate keys. You submit your key > to the global directory, they send you an email to verify that you > control that address. You click the link in the email to confirm and > they then sign your key with the global directory key. Other users > can mark the global directory key as trusted. That might be good enough for some forms of usage for the key because it is a uniform, non-subjective standard for the verification. Maybe someone only wants to be able to send and recieve encrypted documents on an authenticated basis. If so then the Global Directory may certainly provide sufficient validation for that purpose. It really depends on what the senders and recievers will be satisfied with. Bob -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFHltJn6lKCpcLGBRgRAqFiAJ9KcuaEg+hbMZDw1ZWLg/n8lhspeQCdGTl+ 86M9NpqYx88S1HhQ+Zg4wIk= =+ueD -----END PGP SIGNATURE-----
