Re: PGP and verifying ids / emails

To: Adam Rogoyski <rogoyski@cs.utexas.edu>
Cc: debian-mentors@lists.debian.org
Subject: Re: PGP and verifying ids / emails
From: Buddha Buck <bmbuck@zaphod.dhis.org>
Date: Wed, 28 Jul 1999 17:51:48 -0400
Message-id: <[🔎] 19990728215149.F403D17FB@zaphod.dhis.org>
In-reply-to: Message from Adam Rogoyski <rogoyski@cs.utexas.edu> of "Wed, 28 Jul 1999 15:50:17 CDT." <[🔎] Pine.LNX.4.10.9907281548550.12063-100000@hognose.cs.utexas.edu>

> 
>    You are missing the point here.  I met you, learned by Government
> issued ID that you are, infact, Kenneth Stephen, which is the name that
> appears on the pgp key who's fingerprint you gave me at our meeting.  Upon
> retrieving your actual public key and verifying the fingerprint, I know
> that this is, infact, your public key, and I am happy to sign it.  The act
> of me signing that key says "I affirm that this key belongs to Kenneth
> Stephen by my own firsthand knowledge."

Hmmm...  As you mention below, trust is not transferrable, right?

I seem to be missing something...

I have the ability to generate the fingerprint on any key that I have 
available to me.  Therefore, if I had a public key created and signed 
by "John Smith", I could in fact generate the fingerprint for that key.

By meeting you in person, presenting myself as "John Smith", showing 
(forged) credentials to that effect, and giving you "John Smith"'s 
fingerprint, you would be willing to sign "John Smith"'s key?

It seems that there is a missing step -- verification that I know "John 
Smith"'s private key.  Without that, you are trusting me that I am the 
person associated with that key.  With it, I have proven that I am the 
keyholder.

> > 3.  The developer also mentioned that all Debian developer records are
> > correlated against the real name. I would have no problems providing both
> > my ids to the new-maintainer group and verifying my Bob Smith id to them.
> > But would I be permitted to do uploads or whatever that requires a PGP
> > signature by a signed (by Bob Smith) key of Jor-el. For the curious, its
> > just that I organized all my Debian activities on my machine around this
> > id, while using my other id for non-Debian activities. It would be a great
> > pain to change this.
> 
>    The name Kenneth Stephen is the only name you proved to me that is
> yours.  Would you interview for a job with a different name?  Pay your
> taxes with a different name?  

People do interview for jobs with different names.  The most common 
example are entertainers ("stage names"), but there are other examples. 
 James Earl Carter, Jr. took the oath as President as "Jimmy", not 
"James".

There are legitimate reasons why people would want to change their 
identity.  For instance, my original PGP key identifies me as 
associated with a particular educational institution.  Do I want to be 
signing everything with an email address which will not be valid in a 
year or so?  How can I assert that the two keys are in fact from the 
same person?

>    What pain is involved in telling pgp what key to use?
> 
>    Adam
> 
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 

-- 
     Buddha Buck                      bmbuck@zaphid.dhis.edu
"Just as the strength of the Internet is chaos, so the strength of our
liberty depends upon the chaos and cacaphony of the unfettered speech
the First Amendment protects."  -- A.L.A. v. U.S. Dept. of Justice

Reply to:

Follow-Ups:
- Re: PGP and verifying ids / emails
  - From: Manoj Srivastava <srivasta@debian.org>

References:
- Re: PGP and verifying ids / emails
  - From: Adam Rogoyski <rogoyski@cs.utexas.edu>

Prev by Date: Re: PGP and verifying ids / emails
Next by Date: Re: PGP and verifying ids / emails
Previous by thread: Re: PGP and verifying ids / emails
Next by thread: Re: PGP and verifying ids / emails
Index(es):
- Date
- Thread