Re: PGP Key Signing HOWTO: preparation for Linux Expo
Yes, but we all know that I've met Wichert in person :p So I don't
understand the execessiveness I see displayed here. Joseph, you SAW me
hanging out with Wichert :> In any other circumstance, your comments are
very valid, and any newbie would do well to study them with care.
The guy carrying the fluffly blue bunnyrabbit :p
On Wed, 28 Apr 1999, Joseph Carter wrote:
> On Wed, Apr 28, 1999 at 01:19:55PM -0400, Branden Robinson wrote:
> > > Speaking of which, Wichert, I've met you in person. Will you sign my key?
> > > (the enclosed one, not the one currently on the debian public ring). If you
> > > aren't sure this email is from me, the signatures of 5 other developers on
> > > my key should convince you :>
> > Never ask someone to sign your key based solely on what signatures are
> > already on it, and never do so for someone else.
> Wholeheared agreement (who'd have thought I'd ever be wholeheartedly
> agreeing with Branden eh?)
> > The idea behind signatures on a key is that each of the people signing it
> > has independently authenticated the physical person as corresponding to the
> > key in question, using some kind of (usually government-issued)
> > identification card. It does not matter what you use to establish the
> > identity of the person whose key you are signing, as long as you're
> > comfortable enough in its authenticity that you would, say, testify in
> > court that you reasonably believe the person is who they claim themselves
> > to be.
> It does matter. You have to be certain. A person I know well enough
> that I would recognize their voice, have seen their ID, and calling me to
> verify keyid, size, and fingerprint is good enough for me (because I have
> good memory for what people who are ... um, unique and stand out in my
> mind (krooger for his trademark silly hat among other things) is enough
> for me if I can be certain it's them, but otherwise, I need to have met
> them and be sure.
> Another reasonable way to identify someone who wants a new key or userid
> on their old key signed is if they send me a message signed by their
> current key (which has my signature) with the new one and a request..
> This is good if you've got an old email address that is no longer valid
> (my earthlink address) and you'd like it removed. Note this is not easy
> to do with PGP at the moment.
> > If, once in a while, someone is taken in by a con artist presenting
> > something like a forged driver's license, and signs an inauthentic PGP key,
> > that does not do as much damage to the PGP system of trust as many people
> > being careless about what they accept as valid identification in the first
> > place. In the United States, for instance, it is usually not a crime to
> > lie to someone about who you are, but it is a criminal act to possess
> > falsified government-issued identification documents. The idea is that we
> > want people to have to be breaking the law to subvert the PGP trust system
> > in this manner.
> You're right. In fact in most states it's ILLEGAL to do things like scan
> ID for the purposes of verification of identity. I mentioned this to
> james when we talked---Oregon was such a state. You can however get ID
> which lists an alias. I mentioned to Social Security the lasttime I was
> in there for something or other (notifying them that I moved IIRC) and
> they said that if I wanted to wait they'd give me a card with "Joseph
> Carter" on it as opposed to "Thomas J. Carter" since I don't use my first
> name. I could have done the same for DMV ID, but again chose not to.
> > Please consider adding the above paragraphs to the PGP Key Signing HOWTO.
> > (Unless someone on the list shows me how I'm wrong about this.)
> No, you're right. Identity fraud will get you time in federal prison.
> You can get any name you want on your ID, as long as their records can
> reference your legal name with it. And you can change that for a
> processing fee. Of course it will still list your given name prior to
> that. You cannot escape Big Brother!
> Joseph Carter <email@example.com> Debian GNU/Linux developer
> PGP: E8D68481E3A8BB77 8EE22996C9445FBE The Source Comes First!
> * Caytln slaps Lisa
> <Caytln> catfight :P
> <LisaHere> Watch it girl, I like that.
> <LisaHere> :)
> <Caytln> figures :D