[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP Key Signing HOWTO: preparation for Linux Expo

On Wed, Apr 28, 1999 at 01:19:55PM -0400, Branden Robinson wrote:
> > Speaking of which, Wichert, I've met you in person. Will you sign my key?
> > (the enclosed one, not the one currently on the debian public ring).  If you
> > aren't sure this email is from me, the signatures of 5 other developers on
> > my key should convince you :>
> Never ask someone to sign your key based solely on what signatures are
> already on it, and never do so for someone else.

Wholeheared agreement (who'd have thought I'd ever be wholeheartedly
agreeing with Branden eh?)

> The idea behind signatures on a key is that each of the people signing it
> has independently authenticated the physical person as corresponding to the
> key in question, using some kind of (usually government-issued)
> identification card.  It does not matter what you use to establish the
> identity of the person whose key you are signing, as long as you're
> comfortable enough in its authenticity that you would, say, testify in
> court that you reasonably believe the person is who they claim themselves
> to be.  

It does matter.  You have to be certain.  A person I know well enough
that I would recognize their voice, have seen their ID, and calling me to
verify keyid, size, and fingerprint is good enough for me (because I have
good memory for what people who are ... um, unique and stand out in my
mind (krooger for his trademark silly hat among other things) is enough
for me if I can be certain it's them, but otherwise, I need to have met
them and be sure.

Another reasonable way to identify someone who wants a new key or userid
on their old key signed is if they send me a message signed by their
current key (which has my signature) with the new one and a request.. 
This is good if you've got an old email address that is no longer valid
(my earthlink address) and you'd like it removed.  Note this is not easy
to do with PGP at the moment.

> If, once in a while, someone is taken in by a con artist presenting
> something like a forged driver's license, and signs an inauthentic PGP key,
> that does not do as much damage to the PGP system of trust as many people
> being careless about what they accept as valid identification in the first
> place.  In the United States, for instance, it is usually not a crime to
> lie to someone about who you are, but it is a criminal act to possess
> falsified government-issued identification documents.  The idea is that we
> want people to have to be breaking the law to subvert the PGP trust system
> in this manner.

You're right.  In fact in most states it's ILLEGAL to do things like scan
ID for the purposes of verification of identity.  I mentioned this to
james when we talked---Oregon was such a state.  You can however get ID
which lists an alias.  I mentioned to Social Security the lasttime I was
in there for something or other (notifying them that I moved IIRC) and
they said that if I wanted to wait they'd give me a card with "Joseph
Carter" on it as opposed to "Thomas J. Carter" since I don't use my first
name.  I could have done the same for DMV ID, but again chose not to.

> Please consider adding the above paragraphs to the PGP Key Signing HOWTO.
> (Unless someone on the list shows me how I'm wrong about this.)

No, you're right.  Identity fraud will get you time in federal prison. 
You can get any name you want on your ID, as long as their records can
reference your legal name with it.  And you can change that for a
processing fee.  Of course it will still list your given name prior to
that.  You cannot escape Big Brother!

Joseph Carter <knghtbrd@debian.org>            Debian GNU/Linux developer
PGP: E8D68481E3A8BB77 8EE22996C9445FBE            The Source Comes First!
* Caytln slaps Lisa
<Caytln> catfight :P
<LisaHere> Watch it girl, I like that.
<LisaHere> :)
<Caytln> figures :D

Attachment: pgpXhf77v5PW1.pgp
Description: PGP signature

Reply to: