Re: PGP and verifying ids / emails
On Tue, 27 Jul 1999, Jor-el wrote:
> Hi,
>
> I recently had a developer sign my PGP key, but I havent yet
> resolved in my own mind some of the points he brought up.
>
> I use two email ids : this one (Jor-el <jorel@ibm.net>) and
> another one which uses my real name, and which for the purposes of this
> discussion, I will say is : "Bob Smith" <bob_smith@ibm.net>.
>
> I met the developer in person, and we exchanged PGP fingerprints.
> I provided him my PGP fingerprints for both my ids. I later sent him my
> public keys for signing (via an email using the Jor-el id), and he signed
> the Bob Smith id. He said that he couldnt sign the second (Jor-el) id
> since he hadnt seen any proof that I was in fact Jor-el.
>
> 1. Should he have signed my PGP key if the id I sent him was "Bob Smith"
> <jorel@ibm.net> . The "Bob Smith" tag is totally arbitrary and has less
> permanance than the actual email id attached to it. If he could sign it
> with the "Bob Smith" tag attached to it, why wouldnt he be able to sign a
> key for the same email id with the "Jor-el" tag attached to it?
You are missing the point here. I met you, learned by Government
issued ID that you are, infact, Kenneth Stephen, which is the name that
appears on the pgp key who's fingerprint you gave me at our meeting. Upon
retrieving your actual public key and verifying the fingerprint, I know
that this is, infact, your public key, and I am happy to sign it. The act
of me signing that key says "I affirm that this key belongs to Kenneth
Stephen by my own firsthand knowledge."
> 2. Lets assume that the answer to question (1) is that under no
> circumstances should he sign the Jor-el id. Would the Jor-el id be
> considered trustworthy enough for Debian, if I signed it with my "Bob
> Smith" PGP key (and given the fact that I had a trusted developer sign the
> Bob Smith key)? I would be inclined to say 'yes' since, Jor-el could in
> fact be a totally separate individual, whose key could have been signed by
> me ("Bob Smith") - after which Jor-el would then be PGP trusted.
Trust is not transferable. Me signing your key tells the world I know
this key belongs to it's owner. It doesn't say anything about the owner
or what I trust the owner to do. I only signed your key.
Please, read the pgp documentation again, /usr/doc/pgp/pgppdoc[12].doc.
These are Basic questions that you should know.
> 3. The developer also mentioned that all Debian developer records are
> correlated against the real name. I would have no problems providing both
> my ids to the new-maintainer group and verifying my Bob Smith id to them.
> But would I be permitted to do uploads or whatever that requires a PGP
> signature by a signed (by Bob Smith) key of Jor-el. For the curious, its
> just that I organized all my Debian activities on my machine around this
> id, while using my other id for non-Debian activities. It would be a great
> pain to change this.
The name Kenneth Stephen is the only name you proved to me that is
yours. Would you interview for a job with a different name? Pay your
taxes with a different name?
What pain is involved in telling pgp what key to use?
Adam
Reply to: