Robert L Cochran wrote:
> Todd, this is an interesting discussion. You are saying someone
> should make an effort to verify another person's identity as a
> condition of signing a key. I think such an effort is admirable but
> is not worth that time and effort.
You are free to that opinion, but you should be aware that many people
who use gpg will not agree with you and will place little to no value
in any signatures you issue on keys if your policy for signing keys
includes no attempt to check the key owner's purported identity. :)
> I've actually gone out to different places as a Thawte "notary" to
> meet with different people asking me to authenticate them. They
> just need to show me two bits of identification and one of these has
> to be a photo id.
>
> Now how am I to know whether the documents I am provided at this
> meeting are genuine and were really issued to the person sitting in
> front of me? I don't. I have no way to check whether the passport
> or the driver's license really is valid. Someone can give me a sweat
> soaked, grimy passport from Denmark or France or USA and I have no
> idea whether it is genuine. The only thing I can do is decide
> whether the photo on the document is that of the person sitting in
> front of me. But that doesn't validate the document itself or the
> person's identity. I still do not have proof of identity. What I
> have is a piece of paper or plastic that asserts an identity and
> which I have no recourse but to accept, as long as the photo looks
> like the person presenting the document to me.
This is true. It's obviously next to impossible to ever fully "prove"
your identity to someone else. What's really desired IMO is to verify
that someone is using a consistent identity. If you pass yourself off
as Robert L Cochran in many contexts and have photo ID that shows
this, then whether or not you truly are named Robert L Cochran or not,
you've still established that as an identity. As far as the PGP web
of trust is concerned, others that have met you as Robert L Cochran
can begin to gain trust in this identity based on the signatures of
other users who have also met you as Robert L Cochran.
> Many passports contain microchips with information about the holder
> of the passport. But no ordinary person has access to the
> information on the chip, and is unable to validate it. "Smart cards"
> are wonderful for the issuing authorities. They are terrible for the
> person in a Starbucks trying to assess whether the document and
> therefore the identity is valid.
when you really get down to it, do you trust the "issuing authorities"
to truly be authoritative and trustworthy in the task of identifying
individuals? Honestly, I don't. (I think most governments are in
over their heads when it comes to mail delivery, so most of the more
important tasks are way beyond their abilities to do properly. :)
What I'm looking for when checking photo ID is that the holder of the
ID is creating a consistent identity that they're using on their key
and in person. Whether the name on these documents is their given
legal name is outside the scope of what I am able to or interested in
validating. Now, if someone has what appears to be an obviously
forged ID, I reserve the right to not accept it and not sign their
key.
> So what was the true value of the identity validation effort? I
> think it is wholly in meeting a new person. One whom I don't at all
> know. And perhaps the hope of a few minutes chat after signing the
> paperwork. I'm unlikely to ever do business with the other party. He
> or she may move to the Gobi Desert the next day, for all I know.
True, but why sign the person's key at all then? Would you
incorporate some sort of email challenge to verify that the user could
receive email at the address(es) listed on the key and could sign
data using the key? How would you go about checking the key info?
Checking that via email opens you up to all sorts of man in the middle
games, which is why it's best to trade key info in person (or over the
phone if it's someone that you know well enough to recognize their
voice).
I prefer to sign keys of people I have known for some time. I am
willing to sign keys from people I have just met, but with a lower
certification level and with several other verification steps required
(the ID check, key info check, and an email challenge to each uid on
the key).
After all of that, what my signature on the key means is that this key
matches the ID of the person that presented it to me, has the proper
fingerprint, size, type, etc., and that they can receive email at the
uid's listed on the key and make signatures using that key. It really
says no more than that. Specifically, it doesn't imply that I know
them well or trust them for any purpose. That part is left up to each
user.
>> If that's really all the level of verification that you want out of
>> PGP, then you might look at the PGP Global Directory. It is a
>> somewhat automated way to sign and validate keys. You submit your
>> key to the global directory, they send you an email to verify that
>> you control that address. You click the link in the email to
>> confirm and they then sign your key with the global directory key.
>> Other users can mark the global directory key as trusted.
>
> That might be good enough for some forms of usage for the key
> because it is a uniform, non-subjective standard for the
> verification. Maybe someone only wants to be able to send and
> recieve encrypted documents on an authenticated basis. If so then
> the Global Directory may certainly provide sufficient validation for
> that purpose. It really depends on what the senders and recievers
> will be satisfied with.
Yeah, the PGP global directory is a handy tool that facilitates easy
opportunistic encryption among a wider range of people. It is
certainly not secure enough for some usage and some people. What's
nice about the PGP trust model is that everyone gets to pick who they
trust and how much. That's a much more natural thing than the top
typical down hierarchies you find in things like SSL/TLS.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What it means to take rights seriously is that one will honor them
even when there is a significant social cost in doing so.
-- Ronald Dworkin
Attachment:
pgpDNhmLmBp4G.pgp
Description: PGP signature
