On Tuesday 31 May 2005 20:48, Jacob S wrote: > > Regardless, how is this different from meeting someone in person? They > > can just show me their fake ID--I won't know it's fake. (And, as you > > said, forged ID happens a lot and is easily available. =) > > So why bother with steps 1 & 2 when 3 is the only one that carries any > weight? Maybe there is a good reason that I do not know of, but I can > not think of any. I am genuinely curious, though. The general idea was to be purposefully overkill--that if they were going to forge something, they'd have to forge a whole lot of it. Partly, this was in response to the (perceived(?)) guideline that you shouldn't ever sign someone's public key unless you've met them in person--I was trying to narrow down all of the links that were important (seeing the person's face, seeing their ID, seeing that the two match, knowing that it was actually the person I saw who has control of the key and that same person has control of their e-mail address, etc). Barring something I just totally missed, I believe what I wrote up is at least as good at determining that a person is who they say they are as meeting in person and checking ID's. Obviously there are always the issue of forgeries, but I don't think this method is any *worse* in the respect. But I thought I'd give anyone interested a chance to bang at the idea, because I'm curious if someone else knows something I don't. =) -- Wesley J. Landaker <wjl@icecavern.net> OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Attachment:
pgpewcGMBTySU.pgp
Description: PGP signature