Re: PGP and verifying ids / emails
>
> You are missing the point here. I met you, learned by Government
> issued ID that you are, infact, Kenneth Stephen, which is the name that
> appears on the pgp key who's fingerprint you gave me at our meeting. Upon
> retrieving your actual public key and verifying the fingerprint, I know
> that this is, infact, your public key, and I am happy to sign it. The act
> of me signing that key says "I affirm that this key belongs to Kenneth
> Stephen by my own firsthand knowledge."
Hmmm... As you mention below, trust is not transferrable, right?
I seem to be missing something...
I have the ability to generate the fingerprint on any key that I have
available to me. Therefore, if I had a public key created and signed
by "John Smith", I could in fact generate the fingerprint for that key.
By meeting you in person, presenting myself as "John Smith", showing
(forged) credentials to that effect, and giving you "John Smith"'s
fingerprint, you would be willing to sign "John Smith"'s key?
It seems that there is a missing step -- verification that I know "John
Smith"'s private key. Without that, you are trusting me that I am the
person associated with that key. With it, I have proven that I am the
keyholder.
> > 3. The developer also mentioned that all Debian developer records are
> > correlated against the real name. I would have no problems providing both
> > my ids to the new-maintainer group and verifying my Bob Smith id to them.
> > But would I be permitted to do uploads or whatever that requires a PGP
> > signature by a signed (by Bob Smith) key of Jor-el. For the curious, its
> > just that I organized all my Debian activities on my machine around this
> > id, while using my other id for non-Debian activities. It would be a great
> > pain to change this.
>
> The name Kenneth Stephen is the only name you proved to me that is
> yours. Would you interview for a job with a different name? Pay your
> taxes with a different name?
People do interview for jobs with different names. The most common
example are entertainers ("stage names"), but there are other examples.
James Earl Carter, Jr. took the oath as President as "Jimmy", not
"James".
There are legitimate reasons why people would want to change their
identity. For instance, my original PGP key identifies me as
associated with a particular educational institution. Do I want to be
signing everything with an email address which will not be valid in a
year or so? How can I assert that the two keys are in fact from the
same person?
> What pain is involved in telling pgp what key to use?
>
> Adam
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
Buddha Buck bmbuck@zaphid.dhis.edu
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects." -- A.L.A. v. U.S. Dept. of Justice
Reply to: