Keysigning without physically meeting ... thoughts?

To: debian-devel@lists.debian.org
Subject: Keysigning without physically meeting ... thoughts?
From: "Wesley J. Landaker" <wjl@icecavern.net>
Date: Tue, 31 May 2005 09:03:12 -0600
Message-id: <[🔎] 200505310903.16322.wjl@icecavern.net>
In-reply-to: <200505310845.01461.wjl@icecavern.net>
References: <200505290714.53010.wjl@icecavern.net> <200505310152.10539.lawrence_cecil_williams@hotmail.com> <200505310845.01461.wjl@icecavern.net>

Hi folks,

I wrote this up to someone. I thought I'd share it, and get your thoughts.
(e.g. anybody see any weaknesses in #1-#3 that *aren't* present in the 
typical meet, check ID, get GPG fingerprint, assuming #4 is always used 
afterwards?)

On Tuesday 31 May 2005 08:44, Wesley J. Landaker wrote:
> For instance, I don't know if this is officially acceptable or not, but I
> would probably be willing to sign someone's key even if I hadn't met them
> in person, if I got in the mail:
>
>   1) A picture of them holding a recent newspaper with their GPG
> fingerprint and signature written on it. (This would relate the person's
> face & signature with their GPG key, and verify that it's recent).
>  
>   2) A copy of an acceptable (probably government-issued, non-expired)
> picture ID. (This would relate the person's face with their "government"
> identity).
>
>   3) A signed, dated, and notarized statement saying something to the
> effect of "My name is ______, my active e-mail that I control is
> ____@______._____, and the GPG fingerprint of my active key that I
> control and is not compromised is ______________________. Attached to
> this statement is a picture of me with a newspaper dated _______ with the
> same GPG fingerprint, and a copy of my _______ photo ID, which I have
> shown to the undersigned notary. Signed __________, notarized by
> ___________." (Relates the date (which should be reasonably close to the
> time when the picture in #1 was taken--a few weeks at the most), their
> name, e-mail, and GPG fingerprint together by the statement, and the
> picture from #1, and with their "government" identity, as that is checked
> by the notary).
>
>   4) I'd sign the key, and send the updated key to the e-mail address
> given, signed by the GPG key with the fingerprint given. (Relates the
> e-mail address with the GPG key, as if they can't get the e-mail or
> decrypt the e-mail to get the signature, it effectively hasn't really
> been signed).

-- 
Wesley J. Landaker <wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: pgpUo5PYUIEmt.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Keysigning without physically meeting ... thoughts?
  - From: Andrew Suffield <asuffield@debian.org>

Prev by Date: Re: Dear Adrian Bunk, Please hold off a week or two
Next by Date: Bug#311371: ITP: elektra -- A framework to store configuration atoms hierarchically
Previous by thread: Bug#311348: ITP: ptunnel -- Send TCP traffic over ICMP
Next by thread: Re: Keysigning without physically meeting ... thoughts?
Index(es):
- Date
- Thread