[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Keysigning without physically meeting ... thoughts?



Hi folks,

I wrote this up to someone. I thought I'd share it, and get your thoughts.
(e.g. anybody see any weaknesses in #1-#3 that *aren't* present in the 
typical meet, check ID, get GPG fingerprint, assuming #4 is always used 
afterwards?)

On Tuesday 31 May 2005 08:44, Wesley J. Landaker wrote:
> For instance, I don't know if this is officially acceptable or not, but I
> would probably be willing to sign someone's key even if I hadn't met them
> in person, if I got in the mail:
>
>   1) A picture of them holding a recent newspaper with their GPG
> fingerprint and signature written on it. (This would relate the person's
> face & signature with their GPG key, and verify that it's recent).
>  
>   2) A copy of an acceptable (probably government-issued, non-expired)
> picture ID. (This would relate the person's face with their "government"
> identity).
>
>   3) A signed, dated, and notarized statement saying something to the
> effect of "My name is ______, my active e-mail that I control is
> ____@______._____, and the GPG fingerprint of my active key that I
> control and is not compromised is ______________________. Attached to
> this statement is a picture of me with a newspaper dated _______ with the
> same GPG fingerprint, and a copy of my _______ photo ID, which I have
> shown to the undersigned notary. Signed __________, notarized by
> ___________." (Relates the date (which should be reasonably close to the
> time when the picture in #1 was taken--a few weeks at the most), their
> name, e-mail, and GPG fingerprint together by the statement, and the
> picture from #1, and with their "government" identity, as that is checked
> by the notary).
>
>   4) I'd sign the key, and send the updated key to the e-mail address
> given, signed by the GPG key with the fingerprint given. (Relates the
> e-mail address with the GPG key, as if they can't get the e-mail or
> decrypt the e-mail to get the signature, it effectively hasn't really
> been signed).

-- 
Wesley J. Landaker <wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: pgpYHvVaGXnss.pgp
Description: PGP signature


Reply to: