Re: gpg key validity question
On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barb? wrote:
> I wonder if it is acceptable to sign a key from someone that :
> [irrelevent stuff]
> But the key makes no references to his name.
>
> In my understanding the ID is useless but I have enough element to
> believe he is the guy he said he is.
You're not vouching for his real life identity!
> I understand that if I sign his key I personnaly identify him and it
> will be enough for him in regard to the identification part of the NM
> process.
>
> Should I sign his key ?
No! One doesn't really sign "keys". One signs identification. If you meet
someone, your goal is to match the picture ID with the face, and the name on
the ID with the UID in the keyring. Just because we meet, and I show you
an ID doesn't mean you should accept any key I give you, else I could have
you vouch for the identity of myself as "Bubba <president@whitehouse.gov>".
Now, there's usually no good way to match the email address with the
person, but as long as the name-part of the ID is okay, you might be
comfortable signing those you're reasonably sure are okay, but only if they
have the person's real name. "Chad Miller <president@whitehouse.gov>" is
hard to dispute in a bar, but you should make ABSOLUTELY SURE about the
Chad Miller part. It's the "Chad Miller" part that you're signing.
In short, meet someone. Match their face to their ID. Match their ID to
the key UID they claim. Glance at the email address, to check that it's
not obviously bogus. If any fail, then do nothing.
- chad
--
To UNSUBSCRIBE, email to debian-mentors-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: