Re: GPG Key Signing

To: <debian-mentors@lists.debian.org>
Subject: Re: GPG Key Signing
From: Steve Langasek <vorlon@netexpress.net>
Date: Fri, 29 Jun 2001 10:24:59 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.30.0106291016180.5417-100000@tennyson.netexpress.net>
In-reply-to: <[🔎] 87sngj5nkt.fsf@ember.green-gryphon.com>

On Fri, 29 Jun 2001, Manoj Srivastava wrote:

> >>"Robbe" == Robert Bihlmeyer <robbe@orcus.priv.at> writes:

>  Robbe> What additional security does this protocol offer over simple ID
>  Robbe> checking? IOW, what problem does it solve?

> 	Are you implying that ensuring the person whose identity you
>  verified actually controls the email address and the secret pass
>  phrase adds no value to the web of trust?

Out of curiosity, under what circumstances do you foresee someone bringing a
public key that has their name on it, and their photo ID, to a keysigning
party, when they don't have the private key that matches it?  I'm as puzzled
as Robbe wrt the problem this tries to solve.

Proving that they control the email address they're asking you to sign does
add something to the WoT; I would be inclined to not sign /any/ of the uids of
someone I found out had asked me to sign a uid that wasn't theirs.  I just
can't understand why we have to worry about anyone misrepresenting a key as
their own when it has their name on it, since that only hurts their digital
identity.

Steve Langasek
postmodern programmer

Reply to:

References:
- Re: GPG Key Signing
  - From: Manoj Srivastava <srivasta@debian.org>

Prev by Date: Re: GPG Key Signing (Was: Advocate/Sponsor)
Next by Date: [Mikael Hedin <mikael.hedin@irf.se>] Re: official debian logo on visiting card
Previous by thread: Re: GPG Key Signing
Next by thread: Re: GPG Key Signing (Was: Advocate/Sponsor)
Index(es):
- Date
- Thread