[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PGP Key Signing HOWTO: preparation for Linux Expo



Yes, but we all know that I've met Wichert in person :p  So I don't
understand the execessiveness I see displayed here.  Joseph, you SAW me
hanging out with Wichert :>  In any other circumstance, your comments are
very valid, and any newbie would do well to study them with care.

Jonathan
The guy carrying the fluffly blue bunnyrabbit :p

On Wed, 28 Apr 1999, Joseph Carter wrote:

> On Wed, Apr 28, 1999 at 01:19:55PM -0400, Branden Robinson wrote:
> > > Speaking of which, Wichert, I've met you in person. Will you sign my key?
> > > (the enclosed one, not the one currently on the debian public ring).  If you
> > > aren't sure this email is from me, the signatures of 5 other developers on
> > > my key should convince you :>
> > 
> > Never ask someone to sign your key based solely on what signatures are
> > already on it, and never do so for someone else.
> 
> Wholeheared agreement (who'd have thought I'd ever be wholeheartedly
> agreeing with Branden eh?)
> 
> 
> > The idea behind signatures on a key is that each of the people signing it
> > has independently authenticated the physical person as corresponding to the
> > key in question, using some kind of (usually government-issued)
> > identification card.  It does not matter what you use to establish the
> > identity of the person whose key you are signing, as long as you're
> > comfortable enough in its authenticity that you would, say, testify in
> > court that you reasonably believe the person is who they claim themselves
> > to be.  
> 
> It does matter.  You have to be certain.  A person I know well enough
> that I would recognize their voice, have seen their ID, and calling me to
> verify keyid, size, and fingerprint is good enough for me (because I have
> good memory for what people who are ... um, unique and stand out in my
> mind (krooger for his trademark silly hat among other things) is enough
> for me if I can be certain it's them, but otherwise, I need to have met
> them and be sure.
> 
> Another reasonable way to identify someone who wants a new key or userid
> on their old key signed is if they send me a message signed by their
> current key (which has my signature) with the new one and a request.. 
> This is good if you've got an old email address that is no longer valid
> (my earthlink address) and you'd like it removed.  Note this is not easy
> to do with PGP at the moment.
> 
> 
> > If, once in a while, someone is taken in by a con artist presenting
> > something like a forged driver's license, and signs an inauthentic PGP key,
> > that does not do as much damage to the PGP system of trust as many people
> > being careless about what they accept as valid identification in the first
> > place.  In the United States, for instance, it is usually not a crime to
> > lie to someone about who you are, but it is a criminal act to possess
> > falsified government-issued identification documents.  The idea is that we
> > want people to have to be breaking the law to subvert the PGP trust system
> > in this manner.
> 
> You're right.  In fact in most states it's ILLEGAL to do things like scan
> ID for the purposes of verification of identity.  I mentioned this to
> james when we talked---Oregon was such a state.  You can however get ID
> which lists an alias.  I mentioned to Social Security the lasttime I was
> in there for something or other (notifying them that I moved IIRC) and
> they said that if I wanted to wait they'd give me a card with "Joseph
> Carter" on it as opposed to "Thomas J. Carter" since I don't use my first
> name.  I could have done the same for DMV ID, but again chose not to.
> 
> 
> > Please consider adding the above paragraphs to the PGP Key Signing HOWTO.
> > (Unless someone on the list shows me how I'm wrong about this.)
> 
> No, you're right.  Identity fraud will get you time in federal prison. 
> You can get any name you want on your ID, as long as their records can
> reference your legal name with it.  And you can change that for a
> processing fee.  Of course it will still list your given name prior to
> that.  You cannot escape Big Brother!
> 
> --
> Joseph Carter <knghtbrd@debian.org>            Debian GNU/Linux developer
> PGP: E8D68481E3A8BB77 8EE22996C9445FBE            The Source Comes First!
> -------------------------------------------------------------------------
> * Caytln slaps Lisa
> <Caytln> catfight :P
> <LisaHere> Watch it girl, I like that.
> <LisaHere> :)
> <Caytln> figures :D
> 


Reply to: