[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Keysigning without physically meeting ... thoughts?

On Tuesday 31 May 2005 20:48, Jacob S wrote:
> > Regardless, how is this different from meeting someone in person? They
> > can  just show me their fake ID--I won't know it's fake. (And, as you
> > said,  forged ID happens a lot and is easily available. =)
> So why bother with steps 1 & 2 when 3 is the only one that carries any
> weight? Maybe there is a good reason that I do not know of, but I can
> not think of any. I am genuinely curious, though.

The general idea was to be purposefully overkill--that if they were going to 
forge something, they'd have to forge a whole lot of it. 

Partly, this was in response to the (perceived(?)) guideline that you 
shouldn't ever sign someone's public key unless you've met them in 
person--I was trying to narrow down all of the links that were important 
(seeing the person's face, seeing their ID, seeing that the two match, 
knowing that it was actually the person I saw who has control of the key 
and that same person has control of their e-mail address, etc).

Barring something I just totally missed, I believe what I wrote up is at 
least as good at determining that a person is who they say they are as 
meeting in person and checking ID's. Obviously there are always the issue 
of forgeries, but I don't think this method is any *worse* in the respect. 
But I thought I'd give anyone interested a chance to bang at the idea, 
because I'm curious if someone else knows something I don't. =)

Wesley J. Landaker <wjl@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094  0097 F0A9 8A4C 4CD6 E3D2

Attachment: pgpewcGMBTySU.pgp
Description: PGP signature

Reply to: