On 09/02/2014 12:28 PM, Manoj Srivastava wrote: > On Tue, Sep 02 2014, Matthias Urlichs wrote: > >> there's a GPG option (via the the *-cert-level options, see 'man gpg') >> to state how carefully you did verify their identity, but ultimately >> it's up to you. > > That is not how I interpreted that option to mean. > > ,----[ http://tools.ietf.org/html/rfc4880#section-5.2.3.13 ] > | 5.2.3.13. Trust Signature > | Manoj, I don't know how the *-cert-level options in gpg/gpg2 match up with that section RFC480. Actually reading the sections in the man pages it reads very differently. >>> man gpg|gpg2 The default to use for the check level when signing a key. 0 means you make no particular claim as to how carefully you verified the key. 1 means you believe the key is owned by the person who claims to own it but you could not, or did not verify the key at all. This is useful for a "persona" verification, where you sign the key of a pseudonymous user. 2 means you did casual verification of the key. For example, this could mean that you verified the key fingerprint and checked the user ID on the key against a photo ID. 3 means you did extensive verification of the key. For example, this could mean that you verified the key finger‐ print with the owner of the key in person, and that you checked, by means of a hard to forge document with a photo ID (such as a passport) that the name of the key owner matches the name in the user ID on the key, and finally that you verified (by exchange of email) that the email address on the key belongs to the key owner. Note that the examples given above for levels 2 and 3 are just that: examples. In the end, it is up to you to decide just what "casual" and "extensive" mean to you. This option defaults to 0 (no particular claim). <<< From that my understanding is it is a means by which I as the signer of a key can signify the verification taken to gain my signature on said key. This can understanding can also be emphasized if you include a *-policy-url which outlines your process and interpretation for others to check if they wish to determine whether to trust or not the key with the signature found on it.
Attachment:
signature.asc
Description: OpenPGP digital signature