I forgot to mention that we exchanged encrypted secret words and that I check the fingerprint when I meet him. He use his email address in his gpg key but his email address is not related to his name. I am sure he is the guy behind the key. I started this thread because of the debian implication. I believe that from the pure 'web of trust' point of view I can sign his key. Now from the debian point of view, I don't know. I understand that the NM process need an ID. So even if I sign his key or not, It should not be possible for him to go further without providing a gpg key containing his name and signed by a dd. So this told me that I can sign his key. But I am not sure there is no flaw in the NM process here : . Would an authentification be required if his without-ID key is signed by a dd ? . What if he add a with-ID uid in his key after. I would not have signed this new uid but then I am afraid that he will pass the 'Identification' step of the NM process. Even if he add a false identity. My current thought is that I will sign his key if he adds first a uid with ID data corresponding to the ID I have checked. Christophe On Thu, Apr 25, 2002 at 09:40:29AM -0500, Steve Langasek wrote: > On Thu, Apr 25, 2002 at 10:04:20AM -0400, christophe barbé wrote: > > > I wonder if it is acceptable to sign a key from someone that : > > > - I meet him personnaly and saw his ID > > - I saw him in a public meeting in a specific role (We can consider he > > is well known) > > - I have a lot of public mails from him that are all signed > > > But the key makes no references to his name. > > > In my understanding the ID is useless but I have enough element to > > believe he is the guy he said he is. > > > I understand that if I sign his key I personnaly identify him and it > > will be enough for him in regard to the identification part of the NM > > process. > > > Should I sign his key ? > > Since you're asking the question, I gather you also think there's > something not quite right here. When you sign someone's key, you're > vouching that the key belongs to who it says it does. That is, you're > asserting that you have knowledge of the identity of the person using > the key. If the key doesn't have this person's name on it, what *does* > it have on it? Is he using a pseudonym? Is he only using an email > address? I would not have a problem signing a key that had an email > address with no name as a uid; however, such a key is not useful for > the NM process: people become Debian Developers, not email addresses. > > If the key uses a pseudonym, I would not sign it. > > Have you received a PGP fingerprint from him in person? If not, you > don't have any proof that there isn't someone between you and him that > intercepts all of his email and re-signs it with a different key. > > Steve Langasek > postmodern programmer -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Imagination is more important than knowledge. Albert Einstein, On Science
Attachment:
pgp1o1t4d5BxQ.pgp
Description: PGP signature