[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning without physically meeting ... thoughts?

On Tue, May 31, 2005 at 09:03:12AM -0600, Wesley J. Landaker wrote:
> I wrote this up to someone. I thought I'd share it, and get your thoughts.
> (e.g. anybody see any weaknesses in #1-#3 that *aren't* present in the 
> typical meet, check ID, get GPG fingerprint, assuming #4 is always used 
> afterwards?)

Falsifying a government-issued ID is a criminal offence, regardless of
how often it happens (using it to buy alcohol is not important; they
simply raise the minimum age to compensate, so there's no need to
enforce it there). Falsifying a random photograph is not illegal at
all, and there is no reason why somebody wouldn't do it. Nothing here
has verified their identity with any strength to speak of. A person
who wants to generate an identity can do so with minimal effort and no
repercussions - so why wouldn't they?

> On Tuesday 31 May 2005 08:44, Wesley J. Landaker wrote:
> > For instance, I don't know if this is officially acceptable or not, but I
> > would probably be willing to sign someone's key even if I hadn't met them
> > in person, if I got in the mail:
> >
> >   1) A picture of them holding a recent newspaper with their GPG
> > fingerprint and signature written on it. (This would relate the person's
> > face & signature with their GPG key, and verify that it's recent).
> >  
> >   2) A copy of an acceptable (probably government-issued, non-expired)
> > picture ID. (This would relate the person's face with their "government"
> > identity).
> >
> >   3) A signed, dated, and notarized statement saying something to the
> > effect of "My name is ______, my active e-mail that I control is
> > ____@______._____, and the GPG fingerprint of my active key that I
> > control and is not compromised is ______________________. Attached to
> > this statement is a picture of me with a newspaper dated _______ with the
> > same GPG fingerprint, and a copy of my _______ photo ID, which I have
> > shown to the undersigned notary. Signed __________, notarized by
> > ___________." (Relates the date (which should be reasonably close to the
> > time when the picture in #1 was taken--a few weeks at the most), their
> > name, e-mail, and GPG fingerprint together by the statement, and the
> > picture from #1, and with their "government" identity, as that is checked
> > by the notary).
> >
> >   4) I'd sign the key, and send the updated key to the e-mail address
> > given, signed by the GPG key with the fingerprint given. (Relates the
> > e-mail address with the GPG key, as if they can't get the e-mail or
> > decrypt the e-mail to get the signature, it effectively hasn't really
> > been signed).

  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |

Attachment: signature.asc
Description: Digital signature

Reply to: