[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP Key Signing HOWTO: preparation for Linux Expo



On Wed, Apr 28, 1999 at 04:54:09AM -0700, Jonathan Walther wrote:
> Speaking of which, Wichert, I've met you in person. Will you sign my key?
> (the enclosed one, not the one currently on the debian public ring).  If you
> aren't sure this email is from me, the signatures of 5 other developers on
> my key should convince you :>

Never ask someone to sign your key based solely on what signatures are
already on it, and never do so for someone else.

The idea behind signatures on a key is that each of the people signing it
has independently authenticated the physical person as corresponding to the
key in question, using some kind of (usually government-issued)
identification card.  It does not matter what you use to establish the
identity of the person whose key you are signing, as long as you're
comfortable enough in its authenticity that you would, say, testify in
court that you reasonably believe the person is who they claim themselves
to be.  

If, once in a while, someone is taken in by a con artist presenting
something like a forged driver's license, and signs an inauthentic PGP key,
that does not do as much damage to the PGP system of trust as many people
being careless about what they accept as valid identification in the first
place.  In the United States, for instance, it is usually not a crime to
lie to someone about who you are, but it is a criminal act to possess
falsified government-issued identification documents.  The idea is that we
want people to have to be breaking the law to subvert the PGP trust system
in this manner.

Please consider adding the above paragraphs to the PGP Key Signing HOWTO.
(Unless someone on the list shows me how I'm wrong about this.)

-- 
G. Branden Robinson              |    The greatest productive force is human
Debian GNU/Linux                 |    selfishness.
branden@ecn.purdue.edu           |    -- Robert Heinlein
cartoon.ecn.purdue.edu/~branden/ |

Attachment: pgpD0KxlDFxVF.pgp
Description: PGP signature


Reply to: