Re: GPG Key Signing <Pine.LNX.4.30.0106291016180.5417-100000@tennyson.netexpress.net>
>>"Steve" == Steve Langasek <vorlon@netexpress.net> writes:
>> Are you implying that ensuring the person whose identity you
>> verified actually controls the email address and the secret pass
>> phrase adds no value to the web of trust?
Steve> Out of curiosity, under what circumstances do you foresee
Steve> someone bringing a public key that has their name on it, and
Steve> their photo ID, to a keysigning party, when they don't have
Steve> the private key that matches it? I'm as puzzled
Steve> as Robbe wrt the problem this tries to solve.
A) I have had this experience (they just wanted a signature,
but they were not very serious about pgp.
B) Wrong question. If you only protect against something when
you know of a attack, you are unnecesarily vulnerable.
When you see my signature on the key, it means that
i) The owner had two forms of photo ID, or a passport and other
possibly non-photo means of identification (of course, the
identification documents may be forged)
ii) They (or a close conspirator) actually control every ID that I
have signed.
iii) They (or a close conspirator) has control of the secret key
corresponding to the signed ID's
It is my belief that these assertions provide value. The
protocol ensure that I can assert so.
manoj
--
Every nonzero finite dimensional inner product space has an
orthonormal basis. It makes sense, when you don't think about it.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05 CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: