Re: Removing < 2048 bit keys from the Debian keyrings

To: debian-devel@lists.debian.org
Subject: Re: Removing < 2048 bit keys from the Debian keyrings
From: "Jeremy T. Bouse" <jbouse@debian.org>
Date: Tue, 02 Sep 2014 13:19:33 -0400
Message-id: <[🔎] 5405FC25.80808@debian.org>
In-reply-to: <[🔎] 878um2yokv.fsf@glaurung.internal.golden-gryphon.com>
References: <20140831033154.GJ13074@earth.li> <20140831200905.GC6388@jwilk.net> <[🔎] 20140902102815.GE21692@smurf.noris.de> <[🔎] 878um2yokv.fsf@glaurung.internal.golden-gryphon.com>

On 09/02/2014 12:28 PM, Manoj Srivastava wrote:
> On Tue, Sep 02 2014, Matthias Urlichs wrote:
> 
>> there's a GPG option (via the the *-cert-level options, see 'man gpg')
>> to state how carefully you did verify their identity, but ultimately
>> it's up to you.
> 
>         That is not how I interpreted that option to mean.
> 
> ,----[ http://tools.ietf.org/html/rfc4880#section-5.2.3.13 ]
> | 5.2.3.13. Trust Signature
> | 

Manoj,

	I don't know how the *-cert-level options in gpg/gpg2 match up with
that section RFC480. Actually reading the sections in the man pages it
reads very differently.


>>> man gpg|gpg2
              The default to use for the check level when signing a key.

              0 means you make no particular claim as to how carefully
you verified the key.

              1 means you believe the key is owned by the person who
claims to own it but you could not, or did not  verify  the
              key at all. This is useful for a "persona" verification,
where you sign the key of a pseudonymous user.

              2 means you did casual verification of the key. For
example, this could mean that you verified the key fingerprint
              and checked the user ID on the key against a photo ID.

              3 means you did extensive verification of the key. For
example, this could mean that you verified the key  finger‐
              print with the owner of the key in person, and that you
checked, by means of a hard to forge document with a photo
              ID (such as a passport) that the name of the key owner
matches the name in the user ID on  the  key,  and  finally
              that you verified (by exchange of email) that the email
address on the key belongs to the key owner.

              Note  that  the  examples  given  above for levels 2 and 3
are just that: examples. In the end, it is up to you to
              decide just what "casual" and "extensive" mean to you.

              This option defaults to 0 (no particular claim).
<<<

	From that my understanding is it is a means by which I as the signer of
a key can signify the verification taken to gain my signature on said
key. This can understanding can also be emphasized if you include a
*-policy-url which outlines your process and interpretation for others
to check if they wish to determine whether to trust or not the key with
the signature found on it.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Removing < 2048 bit keys from the Debian keyrings
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: Removing < 2048 bit keys from the Debian keyrings
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Removing < 2048 bit keys from the Debian keyrings
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: Keysigning at Linaro Connect US (Burlingame, 15 - 19th September 2014)
Next by Date: Re: Possible abuse of dpkg-deb -z9 for xz compressed binary packages
Previous by thread: Re: Removing < 2048 bit keys from the Debian keyrings
Next by thread: Re: Removing < 2048 bit keys from the Debian keyrings
Index(es):
- Date
- Thread