On Tue, May 31, 2005 at 09:03:12AM -0600, Wesley J. Landaker wrote: > I wrote this up to someone. I thought I'd share it, and get your thoughts. > (e.g. anybody see any weaknesses in #1-#3 that *aren't* present in the > typical meet, check ID, get GPG fingerprint, assuming #4 is always used > afterwards?) Falsifying a government-issued ID is a criminal offence, regardless of how often it happens (using it to buy alcohol is not important; they simply raise the minimum age to compensate, so there's no need to enforce it there). Falsifying a random photograph is not illegal at all, and there is no reason why somebody wouldn't do it. Nothing here has verified their identity with any strength to speak of. A person who wants to generate an identity can do so with minimal effort and no repercussions - so why wouldn't they? > On Tuesday 31 May 2005 08:44, Wesley J. Landaker wrote: > > For instance, I don't know if this is officially acceptable or not, but I > > would probably be willing to sign someone's key even if I hadn't met them > > in person, if I got in the mail: > > > > 1) A picture of them holding a recent newspaper with their GPG > > fingerprint and signature written on it. (This would relate the person's > > face & signature with their GPG key, and verify that it's recent). > > > > 2) A copy of an acceptable (probably government-issued, non-expired) > > picture ID. (This would relate the person's face with their "government" > > identity). > > > > 3) A signed, dated, and notarized statement saying something to the > > effect of "My name is ______, my active e-mail that I control is > > ____@______._____, and the GPG fingerprint of my active key that I > > control and is not compromised is ______________________. Attached to > > this statement is a picture of me with a newspaper dated _______ with the > > same GPG fingerprint, and a copy of my _______ photo ID, which I have > > shown to the undersigned notary. Signed __________, notarized by > > ___________." (Relates the date (which should be reasonably close to the > > time when the picture in #1 was taken--a few weeks at the most), their > > name, e-mail, and GPG fingerprint together by the statement, and the > > picture from #1, and with their "government" identity, as that is checked > > by the notary). > > > > 4) I'd sign the key, and send the updated key to the e-mail address > > given, signed by the GPG key with the fingerprint given. (Relates the > > e-mail address with the GPG key, as if they can't get the e-mail or > > decrypt the e-mail to get the signature, it effectively hasn't really > > been signed). -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | `. `' | `- -><- |
Attachment:
signature.asc
Description: Digital signature