On Thu, Apr 25, 2002 at 10:50:43AM -0400, Chad Miller wrote: > No! One doesn't really sign "keys". One signs identification. If you meet > someone, your goal is to match the picture ID with the face, and the name on > the ID with the UID in the keyring. Just because we meet, and I show you > an ID doesn't mean you should accept any key I give you, else I could have > you vouch for the identity of myself as "Bubba <president@whitehouse.gov>". > > Now, there's usually no good way to match the email address with the > person, but as long as the name-part of the ID is okay, you might be > comfortable signing those you're reasonably sure are okay, but only if they > have the person's real name. "Chad Miller <president@whitehouse.gov>" is > hard to dispute in a bar, but you should make ABSOLUTELY SURE about the > Chad Miller part. It's the "Chad Miller" part that you're signing. > > In short, meet someone. Match their face to their ID. Match their ID to > the key UID they claim. Glance at the email address, to check that it's > not obviously bogus. If any fail, then do nothing. > > - chad I understand your point of view. But : IDs are easily forged. I am sure of that since I have see how it works here in the US when I got my Pennsylvania Driving License. In France (where I am from) I believe it is harder to fake an ID but it's still possible. I consider the ID to be ONLY a part of the verification process. I believe that someone who signs a key of someone he knows well after exchanging crypted email give you a stronger proof that someone that sign a key simply after seeing the fingerprint and the ID on a signing party and meeting the person for the first on last time. Christophe -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats seem go on the principle that it never does any harm to ask for what you want. --Joseph Wood Krutch
Attachment:
pgpwKcwcKPwKM.pgp
Description: PGP signature